扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
iScripts CyberMatch 1.0 Blind SQL Injection Vulnerability NameiScripts CyberMatch Vendorhttp://www.iscripts.com Versions Affected 1.0 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-02-07 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION iScripts CyberMatch is aturnkeyonline dating software foryou tostartafull-fledgeddatingsitelike match.com or eHarmony in minutes. iScripts CyberMatch can be usedtocreateyourown Dating, Personals or match making Site, Adult or Matrimonial Site. II. DESCRIPTION A parameter is not properly sanitised before being used in a SQL query. III. ANALYSIS Summary: A) Blind SQL Injection A) Blind SQL Injection The id parameter in profile.php is notproperly sanitised before being used in a SQL query. Thatisnotthe query which selects the information about theuser specified by the id parameter but is the query that selects the image's name. The affected query is a query of five fields. When the injected condition is true, inthepage will be printed thereallinkto the personal image of the user specifiedbytheidparameter,otherwisealinkto bignophoto.gif. True condition: http://site/path/images/profiles/id_random.jpg False condition: http://site/path/images/profiles/bignophoto.gif Successful exploitation requiresthat "magic_quotes_gpc" is disabled and that the user specified byid parameter has posted an image. IV. SAMPLE CODE A) Blind SQL Injection http://site/path/profile.php?id=10' UNION SELECT 1,2,3,4,5%23 http://site/path/profile.php?id=10' AND 1=1%23 http://site/path/profile.php?id=10' AND 1=0%23 V. FIX No Fix. |
体验盒子
