إرسال #844725: AojiaoZero Antaris latest (2026-06, no formal release) SQL Injectionالمعلومات

عنوانAojiaoZero Antaris latest (2026-06, no formal release) SQL Injection
الوصف Description: Antaris browser game (based on 2Moons engine) contains SQL injection in PayPal IPN payment handler (CWE-89) and hardcoded production database credentials (CWE-798). File: ipn.php Hardcoded credentials: SQL injection in _rewardPurchase(): $currency = $_POST['item_number']; mysql_query("UPDATE uni1_users SET darkmatter = darkmatter + ".$currency." WHERE id = '".mysql_real_escape_string($userId)."';"); $currency from PayPal POST data is directly concatenated into UPDATE without mysql_real_escape_string. IPN handler is publicly accessible (no auth). Exploitation: POST /ipn.php with manipulated item_number parameter containing SQL payload. Countermeasure: Use mysql_real_escape_string on all user input. Use prepared statements. Remove hardcoded credentials. CVSS 9.8.
المصدر⚠️ https://github.com/AojiaoZero/Antaris
المستخدم
 Dest1ny_2 (UID 98658)
ارسال01/06/2026 11:12 AM (1 شهر منذ)
الاعتدال11/07/2026 02:49 PM (1 month later)
الحالةتمت الموافقة
إدخال VulDB377809 [AojiaoZero Antaris 1.0 PayPal IPN Payment /ipn.php _rewardPurchase item_number حقن SQL]
النقاط20

Do you need the next level of professionalism?

Upgrade your account now!