提交 #844725: AojiaoZero Antaris latest (2026-06, no formal release) SQL Injection信息

标题AojiaoZero Antaris latest (2026-06, no formal release) SQL Injection
描述 Description: Antaris browser game (based on 2Moons engine) contains SQL injection in PayPal IPN payment handler (CWE-89) and hardcoded production database credentials (CWE-798). File: ipn.php Hardcoded credentials: SQL injection in _rewardPurchase(): $currency = $_POST['item_number']; mysql_query("UPDATE uni1_users SET darkmatter = darkmatter + ".$currency." WHERE id = '".mysql_real_escape_string($userId)."';"); $currency from PayPal POST data is directly concatenated into UPDATE without mysql_real_escape_string. IPN handler is publicly accessible (no auth). Exploitation: POST /ipn.php with manipulated item_number parameter containing SQL payload. Countermeasure: Use mysql_real_escape_string on all user input. Use prepared statements. Remove hardcoded credentials. CVSS 9.8.
来源⚠️ https://github.com/AojiaoZero/Antaris
用户
 Dest1ny_2 (UID 98658)
提交2026-06-01 11時12分 (1 月前)
管理2026-07-11 14時49分 (1 month later)
状态已接受
VulDB条目377809 [AojiaoZero Antaris 1.0 PayPal IPN Payment /ipn.php _rewardPurchase item_number SQL注入]
积分20

Interested in the pricing of exploits?

See the underground prices here!