Open Audit – SQL Injection

• Exploit Database
• 17 阅读

• 作者： Rahul Pratap Singh
  日期： 2016-01-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39150/

• #Exploit Title: Open Audit SQL Injection Vulnerability
  #Exploit Author: Rahul Pratap Singh
  #Date : 2/Jan/2016
  #Home page Link: https://github.com/jonabbey/open-audit
  #Website: 0x62626262.wordpress.com
  #Twitter: @0x62626262
  #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
  
  1. Description
  
  "id" field in software_add_license.php is not properly sanitized, that
  leads to SQL Injection Vulnerability.
  
  "pc" field in delete_system.php, list_viewdef_software_for_system.php and
  system_export.php is not properly sanitized, that leads to SQL Injection
  Vulnerability.
  
  
  2. Vulnerable Code:
  
  software_add_license.php: ( line 12 to 13)
  
  $sql = "SELECT * from software_register WHERE software_reg_id = '" .
  $_GET["id"] . "'";
  $result = mysql_query($sql, $db);
  
  
  delete_system.php: ( line 5 to 10)
  
  if (isset($_GET['pc'])) {
  
  $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or
  die("Could not connect");
  mysql_select_db("$mysql_database") or die("Could not select database");
  $query = "select system_name from system where system_uuid='" .
  $_GET['pc'] . "'";
  $result = mysql_query($query)or die("Query failed at retrieve system
  name stage.");
  
  
  list_viewdef_software_for_system.php: ( line 2 to 3)
  
  $sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
  $_REQUEST["pc"] . "'";
  $result = mysql_query($sql, $db);
  
  
  system_export.php: ( line 108 to 112)
  
  if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
  $pc=$_REQUEST["pc"];
  $_GET["pc"]=$_REQUEST["pc"];
  $sql = "SELECT system_uuid, system_timestamp, system_name FROM system
  WHERE system_uuid = '$pc' OR system_name = '$pc' ";
  $result = mysql_query($sql, $db);