- Author: YU-HSIANG HUANG, YUNG-HAO TSENG, Eddie TC CHANG
- Contact: huang.yuhsiang.phone@gmail.com; 0xuhaw@gmail.com; eddietcchang@gmail.com
- Product: DBNinja
- Version: 3.2.7
- Official Website: https://www.dbninja.com/
- Github: N/A
DBNinja ver 3.2.7 exist broken authentication vulnerability.
The attacker designed a URL with a specific sessid, if the victim browsed the URL and then logged into NinjaDB. The attacker can login to NinjaDB as the victim by using this sessid.
- Design a URL with a specific
sessid, and the victim browsed the URL.
Payload:http://127.0.0.1/dbninja/data.php?sessid=exploittest&action=ver
- Then the victim login as the admin account.
- An attacker can use the victim's permission to operate DBNinja.
