Advanced Upload (PHP) Script 1.0.2 SQL Injection

2016-10-16T00:00:00
ID PACKETSTORM:139188
Type packetstorm
Reporter N_A
Modified 2016-10-16T00:00:00

Description

                                        
                                            `Advanced Upload (PHP) Script Version 1.0.2 MySQL Injection Vulnerabilities  
============================================================================  
  
  
  
  
Discovered by N_A, N_A[at]tutanota.com  
=======================================  
  
  
  
  
  
  
  
Description  
============  
  
An advanced php uploading script with MANY advanced features. including: registration, upload, manage uploads with folder  
and upload management, ...and MUCH MUCH more!!!  
  
  
https://sourceforge.net/projects/adv-uploads  
  
  
  
  
  
Vulnerabilities  
================  
  
Several SQL Injection vulnerabilites exist that allow direct injection into the MySQL database.  
  
  
Files Effected  
===============  
  
login.php:  
  
  
if($_GET['action'] == 'check')  
{  
//find the user  
$result = mysql_query("SELECT * FROM loginphp WHERE Uname='{$_POST['Uname']}'")$  
$row = mysql_fetch_array( $result ); //set $row to result  
  
  
  
  
As we can see the vulnerable variable is 'Uname' which is passed to the database via the POST method completely unchecked.  
  
  
  
  
  
forgotpass.php:  
  
  
if($_GET['action'] == 'email')  
{  
$_Email = $_POST['Email'];  
$result = mysql_query("SELECT * FROM loginphp  
WHERE Email='" . $_Email . "'") or die(mysql_error());   
$row = mysql_fetch_array( $result );  
  
  
  
As we can see here the 'Email' variable is passed to the database completely unchecked via the POST method.  
  
  
  
  
  
  
  
Email  
======  
  
Discovered by N_A  
N_A[at]tutanota.com  
`