Open Audit SQL Injection Vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>Open Audit SQL Injection Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#Exploit Title : Open Audit SQL Injection Vulnerability #Exploit Author : BlacKBlooD Azerbaijan Defacers Group #Date : 18/ap/2016 #Home page Link : https://github.com/BlacKBlooD/open-audit #Website : df-blackblood.com #Twitter : @BlackBlood2121 #Linkedin : https://www.facebook.com/BlacKBlooD.20/ 1. Description "id" field in software_add_license.php is not properly sanitized, that leads to SQL Injection Vulnerability. "pc" field in delete_system.php, list_viewdef_software_for_system.php and system_export.php is not properly sanitized, that leads to SQL Injection Vulnerability. 2. Vulnerable Code: software_add_license.php: ( line 12 to 13) $sql = "SELECT * from software_register WHERE software_reg_id = '" . $_GET["id"] . "'"; $result = mysql_query($sql, $db); delete_system.php: ( line 5 to 10) if (isset($_GET['pc'])) { $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or die("Could not connect"); mysql_select_db("$mysql_database") or die("Could not select database"); $query = "select system_name from system where system_uuid='" . $_GET['pc'] . "'"; $result = mysql_query($query) or die("Query failed at retrieve system name stage."); list_viewdef_software_for_system.php: ( line 2 to 3) $sql = "SELECT system_os_type FROM system WHERE system_uuid = '" . $_REQUEST["pc"] . "'"; $result = mysql_query($sql, $db); system_export.php: ( line 108 to 112) if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){ $pc=$_REQUEST["pc"]; $_GET["pc"]=$_REQUEST["pc"]; $sql = "SELECT system_uuid, system_timestamp, system_name FROM system WHERE system_uuid = '$pc' OR system_name = '$pc' "; $result = mysql_query($sql, $db); </BODY></HTML>