Отправить #844725: AojiaoZero Antaris latest (2026-06, no formal release) SQL InjectionИнформация

НазваниеAojiaoZero Antaris latest (2026-06, no formal release) SQL Injection
Описание Description: Antaris browser game (based on 2Moons engine) contains SQL injection in PayPal IPN payment handler (CWE-89) and hardcoded production database credentials (CWE-798). File: ipn.php Hardcoded credentials: SQL injection in _rewardPurchase(): $currency = $_POST['item_number']; mysql_query("UPDATE uni1_users SET darkmatter = darkmatter + ".$currency." WHERE id = '".mysql_real_escape_string($userId)."';"); $currency from PayPal POST data is directly concatenated into UPDATE without mysql_real_escape_string. IPN handler is publicly accessible (no auth). Exploitation: POST /ipn.php with manipulated item_number parameter containing SQL payload. Countermeasure: Use mysql_real_escape_string on all user input. Use prepared statements. Remove hardcoded credentials. CVSS 9.8.
Источник⚠️ https://github.com/AojiaoZero/Antaris
Пользователь
 Dest1ny_2 (UID 98658)
Представление01.06.2026 11:12 (1 месяц назад)
Модерация11.07.2026 14:49 (1 month later)
Статуспринято
Запись VulDB377809 [AojiaoZero Antaris 1.0 PayPal IPN Payment /ipn.php _rewardPurchase item_number SQL-инъекция]
Баллы20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!