Submeter #844725: AojiaoZero Antaris latest (2026-06, no formal release) SQL Injectioninformação

TítuloAojiaoZero Antaris latest (2026-06, no formal release) SQL Injection
Descrição Description: Antaris browser game (based on 2Moons engine) contains SQL injection in PayPal IPN payment handler (CWE-89) and hardcoded production database credentials (CWE-798). File: ipn.php Hardcoded credentials: SQL injection in _rewardPurchase(): $currency = $_POST['item_number']; mysql_query("UPDATE uni1_users SET darkmatter = darkmatter + ".$currency." WHERE id = '".mysql_real_escape_string($userId)."';"); $currency from PayPal POST data is directly concatenated into UPDATE without mysql_real_escape_string. IPN handler is publicly accessible (no auth). Exploitation: POST /ipn.php with manipulated item_number parameter containing SQL payload. Countermeasure: Use mysql_real_escape_string on all user input. Use prepared statements. Remove hardcoded credentials. CVSS 9.8.
Fonte⚠️ https://github.com/AojiaoZero/Antaris
Utilizador
 Dest1ny_2 (UID 98658)
Submissão01/06/2026 11h12 (há 1 mês)
Moderação11/07/2026 14h49 (1 month later)
EstadoAceite
Entrada VulDB377809 [AojiaoZero Antaris 1.0 PayPal IPN Payment /ipn.php _rewardPurchase item_number Injeção SQL]
Pontos20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!