提出 #844725: AojiaoZero Antaris latest (2026-06, no formal release) SQL Injection情報

タイトルAojiaoZero Antaris latest (2026-06, no formal release) SQL Injection
説明 Description: Antaris browser game (based on 2Moons engine) contains SQL injection in PayPal IPN payment handler (CWE-89) and hardcoded production database credentials (CWE-798). File: ipn.php Hardcoded credentials: SQL injection in _rewardPurchase(): $currency = $_POST['item_number']; mysql_query("UPDATE uni1_users SET darkmatter = darkmatter + ".$currency." WHERE id = '".mysql_real_escape_string($userId)."';"); $currency from PayPal POST data is directly concatenated into UPDATE without mysql_real_escape_string. IPN handler is publicly accessible (no auth). Exploitation: POST /ipn.php with manipulated item_number parameter containing SQL payload. Countermeasure: Use mysql_real_escape_string on all user input. Use prepared statements. Remove hardcoded credentials. CVSS 9.8.
ソース⚠️ https://github.com/AojiaoZero/Antaris
ユーザー
 Dest1ny_2 (UID 98658)
送信2026年06月01日 11:12 (1 月 ago)
モデレーション2026年07月11日 14:49 (1 month later)
ステータス承諾済み
VulDBエントリ377809 [AojiaoZero Antaris 1.0 PayPal IPN Payment /ipn.php _rewardPurchase item_number SQLインジェクション]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!