Vulners
Lucene search
Free Hosting Manager 2.0.2 - Multiple SQLi
-------------------------------------------------------------------------
# Software : Free Hosting Manager V2.0.2 Multiple SQLi
# Author : Saadat Ullah , [email protected]
# Author home : http://security-geeks.blogspot.com
# Date : 23/3/13
# Vendors : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..
http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.
Proof Of Concept
In home.php
Calling a function auth() and what it is
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {
$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());
In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]
elseif ((isset($code)) || ($_GET['do'] == "code")) {
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());
In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());
In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]
$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());
In register.php
$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")
Only using stripslahes which will not protect against doing sql injection attack.
#independent Pakistani Security Researcher
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1