SQL Injection + Remote PHP file upload

vendor:

Free Arcade Script

by:

Mr.Skonnie

7.5

CVSS

HIGH

SQL Injection + Remote File Upload

CWE

Product Name: Free Arcade Script

Affected Version From: Free Arcade Script 1.0

Affected Version To: Free Arcade Script 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:freearcadescript:free_arcade_script

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SQL Injection + Remote PHP file upload

The user name is not checked before being used in the sql query so we can inject ' or 1 or username=' as the user name and get in as admin. Once logged in as admin, the Admin panel is enabled. Add a new self hosted game and when asked for "Thumb File" and "SWF Game File", choose your php shell file (or any other file you want to upload to the server). The file you uploaded is now saved in the "games directory" and "thumbs directory". To find out where they are located, choose "Site Settings" from the Admin panel.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in a SQL query.

Source

Exploit-DB raw data:

.--------------------------------------------------------------------------.
| Web Application : Free Arcade Script 1.0                                 |
| Homepage        : http://www.freearcadescript.net                        |
|--------------------------------------------------------------------------|
| Vulnerability   : SQL Injection + Remote PHP file upload                 |
| Author          : Mr.Skonnie                                             |
| Contact         : mr.skonnie@gmail.com                                   |
|__________________________________________________________________________|

Stage I - Login as administrator to the CMS:
--------------------------------------------
login.php authentication code :

if(isset($_POST['submit'])){
	$username = clean($_POST['username']);
	$password = md5($_POST['password']);
	
	$r = $db->query(sprintf('SELECT userid FROM dd_users WHERE username=\'%s\' AND password=\'%s\'', $username, $password));
	if(!$db->num_rows($r)){
		echo '<div class=\'error\'>User account does not exist.</div>';
		include ('templates/'.$template.'/footer.php');
		exit;
	}else{
		$ir = $db->fetch_row($r);
		$_SESSION['username'] = $username;
		$_SESSION['userid']= $ir['userid'];
		echo '<div class=\'msg\'>You\'ve now logged on.</div>';
		
The user name is not checked before being used in the sql query so we can inject ' or 1 or username=' as the user name and get in as admin.


Stage II - Uploading a php shell to the server:
-----------------------------------------------
Once logged in as admin, the Admin panel is enabled.
Add a new self hosted game and when asked for "Thumb File" and "SWF Game File", choose your php shell file (or any other file you want to upload to the server).
The file you uploaded is now saved in the "games directory" and "thumbs directory".
To find out where they are located, choose "Site Settings" from the Admin panel.

# milw0rm.com [2009-03-23]