扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
#Exploit Title: Open Audit SQL Injection Vulnerability #Exploit Author: Rahul Pratap Singh #Date : 2/Jan/2016 #Home page Link: https://github.com/jonabbey/open-audit #Website: 0x62626262.wordpress.com #Twitter: @0x62626262 #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 1. Description "id" field in software_add_license.php is not properly sanitized, that leads to SQL Injection Vulnerability. "pc" field in delete_system.php, list_viewdef_software_for_system.php and system_export.php is not properly sanitized, that leads to SQL Injection Vulnerability. 2. Vulnerable Code: software_add_license.php: ( line 12 to 13) $sql = "SELECT * from software_register WHERE software_reg_id = '" . $_GET["id"] . "'"; $result = mysql_query($sql, $db); delete_system.php: ( line 5 to 10) if (isset($_GET['pc'])) { $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or die("Could not connect"); mysql_select_db("$mysql_database") or die("Could not select database"); $query = "select system_name from system where system_uuid='" . $_GET['pc'] . "'"; $result = mysql_query($query)or die("Query failed at retrieve system name stage."); list_viewdef_software_for_system.php: ( line 2 to 3) $sql = "SELECT system_os_type FROM system WHERE system_uuid = '" . $_REQUEST["pc"] . "'"; $result = mysql_query($sql, $db); system_export.php: ( line 108 to 112) if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){ $pc=$_REQUEST["pc"]; $_GET["pc"]=$_REQUEST["pc"]; $sql = "SELECT system_uuid, system_timestamp, system_name FROM system WHERE system_uuid = '$pc' OR system_name = '$pc' "; $result = mysql_query($sql, $db); |
体验盒子
