网站地图    收藏   

主页 > 后端 > 网站安全 >

Free Hosting Manager V2.0.2多个sql注射 - 网站安全 - 自

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] 软件 : Free Hosting Manager V2.0.2 Multiple SQLi 作者: Saadat Ullah , saadi_......

软件 : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                            
 
作者 : Saadat Ullah , saadi_linux@rocketmail.com                                 
 
作者页面: http://security-geeks.blogspot.com  
开发者: http://www.fhm-script.com  
下载地址 : http://www.fhm-script.com/download.php    
 
+---+[ 多个 SQL injection]+---+  
 
Its is vulnerable to SQLi on many file some of them are..  
 
   
 
http://www.2cto.com /Free/clients/reset.php?code=[SQLi]  
 
http://www.2cto.com /Free/clients/tickets.php?id=[SQLi]  
 
http://www.2cto.com /free/clients/viewaccount.php?id=[SQLi]  
 
Cookie based injeciton In   
 
http://www.2cto.com /free/clients/home.php  
 
inject the cookie value clientuser  
 
http://www.2cto.com /free/clients/register.php ---> SQLi on all POST Fields.  
 
   
 
Proof Of Concept  
 
In home.php  
 
Calling a function auth() and what it is   
 
   
 
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {  
 
   
 
$clientuser = $_COOKIE['clientuser'];  
 
$clientpass = $_COOKIE['clientpass'];  
 
$clientid = $_COOKIE['clientid'];  
 
$this->clientuser = $_COOKIE['clientuser'];  
 
$this->clientpass = $_COOKIE['clientpass'];  
 
$this->clientid = $_COOKIE['clientid'];  
 
return true;  
 
   
 
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());  
 
   
 
   
 
In Reset.php  
 
http://www.2cto.com /Free/clients/reset.php?code=[SQLi]  
 
   
 
elseif ((isset($code)) || ($_GET['do'] == "code")) {  
 
   
 
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")   
 
or die(mysql_error());  
 
   
 
In tickets.php  
 
http://www.2cto.com /Free/clients/tickets.php?id=[SQLi]  
 
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {  
 
$fhm->closeticket($_GET['id']);  
 
.  
 
.  
 
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());  
 
   
 
In Viewaccount.php  
 
http://www.2cto.com /free/clients/viewaccount.php?id=[SQLi]  
 
   
 
$id = $_GET['id'];  
 
.  
 
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());  
 
   
 
In register.php  
 
   
 
$firstname = stripslashes($_POST['first_name']);  
 
$lastname = stripslashes($_POST['last_name']);  
 
$company = stripslashes($_POST['company']);  
 
$address = stripslashes($_POST['address']);  
 
$address2 = stripslashes($_POST['address_2']);  
 
$country = stripslashes($_POST['country']);  
 
$city = stripslashes($_POST['city']);  
 
$state = stripslashes($_POST['state_region']);  
 
$postcode = stripslashes($_POST['postal_code']);  
 
$telnumber = stripslashes($_POST['tel_number']);  
 
$faxnumber = stripslashes($_POST['fax_number']);  
 
$emailaddress = stripslashes($_POST['email_address']);  
 
$username = stripslashes($_POST['username']);  
 
$password1 = stripslashes($_POST['password']);  
 
$password2 = stripslashes($_POST['confirm_password']);  
 
.  
 
.  
 
.  
 
.  
 
.  
 
.  
 
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")   
 
   
 
Only using stripslahes which will not protect against doing sql injection attack.  
 
   
 
#independent Pakistani Security Researcher  
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论