Advanced Upload (PHP) Script 1.0.2 SQL Injection
Posted on 19 October 2016
Advanced Upload (PHP) Script Version 1.0.2 MySQL Injection Vulnerabilities ============================================================================ Discovered by N_A, N_A[at]tutanota.com ======================================= Description ============ An advanced php uploading script with MANY advanced features. including: registration, upload, manage uploads with folder and upload management, ...and MUCH MUCH more!!! https://sourceforge.net/projects/adv-uploads Vulnerabilities ================ Several SQL Injection vulnerabilites exist that allow direct injection into the MySQL database. Files Effected =============== login.php: if($_GET['action'] == 'check') { //find the user $result = mysql_query("SELECT * FROM loginphp WHERE Uname='{$_POST['Uname']}'")$ $row = mysql_fetch_array( $result ); //set $row to result As we can see the vulnerable variable is 'Uname' which is passed to the database via the POST method completely unchecked. forgotpass.php: if($_GET['action'] == 'email') { $_Email = $_POST['Email']; $result = mysql_query("SELECT * FROM loginphp WHERE Email='" . $_Email . "'") or die(mysql_error()); $row = mysql_fetch_array( $result ); As we can see here the 'Email' variable is passed to the database completely unchecked via the POST method. Email ====== Discovered by N_A N_A[at]tutanota.com