Free Hosting Manager V2.0.2 Multiple SQL injections

Software: Free Hosting Manager V2.0.2 Multiple SQLi Author: Saadat Ullah, saadi_linux@rocketmail.com author page: http://security-geeks.blogspot.com Developers: http://www.fhm-script.com : http://www.fhm-script.com /Download. php + --- + [Multiple SQL injection] + --- + Its is vulnerable to SQLi on your file some of them are .. http://www.bkjia.com /Free/clients/reset. php? Code = [SQLi] http://www.bkjia.com /Free/clients/tickets. php? Id = [SQLi] http://www.bkjia.com /Free/clients/viewaccount. php? Id = [SQLi] Cookie based injeciton In http://www.bkjia.com /Free/clients/home. php inject the cookie value clientuser http://www.bkjia.com /Free/clients/register. php ---> SQLi on all POST Fields. proof Of Concept In home. php Calling a function auth () and what it is if (isset ($ _ COOKIE ['clientuser']) & isset ($ _ COOKIE ['clientpass']) & isset ($ _ COOKIE ['clientid']) {$ clientuser = $ _ COOKIE ['clientuser']; $ clientpass = $ _ COOKIE ['clientpass']; $ clientid = $ _ COOKIE ['clientid']; $ this-> clientuser = $ _ COOKIE ['clientuser']; $ this-> clientpass =$ _ COOKIE ['clientpass']; $ this-> clientid = $ _ COOKIE ['clientid']; return true; $ dbquery = @ mysql_query ("SELECT * FROM clients WHERE id = '$ clientid' AND username =' $ clientuser' AND password = '$ clientpass '") or die (mysql_error (); In Reset. php http://www.bkjia.com /Free/clients/reset. php? Code = [SQLi] elseif (isset ($ code) | ($ _ GET ['do '] = "code ")) {$ details = mysql_query ("SELECT * FROM clientpwactivation WHERE activationcode = '$ Code'") or die (mysql_error (); In tickets. php http://www.bkjia.com /Free/clients/tickets. php? Id = [SQLi] if (isset ($ _ GET ['id']) & ($ _ GET ['action'] = "close ") & ($ _ GET ['Confirm'] = "true") {$ fhm-> closeticket ($ _ GET ['id']); .. $ checkticket = mysql_query ("SELECT * FROM tickets WHERE id = '$ ticket' AND clientid = '$ this-> clientid'") or die (mysql_error (); In Viewaccount. php http://www.bkjia.com /Free/clients/viewaccount. php? Id = [SQLi] $ id = $ _ GET ['id'];. $ getacct = mysql_query ("SELECT * FROM orders WHERE id = '$ id' AND clientid =' $ fhm-> clientid'") or die (mysql_error (); In register. php $ firstname = stripslashes ($ _ POST ['first _ name']); $ lastname = stripslashes ($ _ POST ['last _ name']); $ company = stripslashes ($ _ POST ['company']); $ address = stripslashes ($ _ POST ['address']); $ address2 = stripslashes ($ _ POST ['address _ 2']); $ country = stripslashes ($ _ POST ['country']); $ city = stripslashes ($ _ POST ['city']); $ state = stripslashes ($ _ POST ['State _ region ']); $ postcode = stripslashes ($ _ POST ['postal _ Code']); $ telnumber = stripslashes ($ _ POST ['tel _ number']); $ faxnumber = stripslashes ($ _ POST ['fax _ number']); $ emailaddress = stripslashes ($ _ POST ['email _ address']); $ username = stripslashes ($ _ POST ['username']); $ password1 = stripslashes ($ _ POST ['Password']); $ password2 = stripslashes ($ _ POST ['Confirm _ password']); ...... $ insertuser = mysql_query ("insert into clients VALUES ('', '$ username',' $ md5pass', '$ firstname', '$ lastname', '$ company ', '$ address',' $ ssss2 ',' $ city', '$ country', '$ State',' $ postcode ',' $ telnumber ',' $ faxnumber ', '$ emailaddress', '$ startingcredits', '1', '','', '$ timestamp') ") Only using stripslahes which will not protect against doing SQL injection attack. # independent Pakistani Security Researcher