[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sqlbuddy Path Traversal Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Sqlbuddy Path Traversal Vulnerability
- From: hyp3rlinx@xxxxxxxxxxxxxx
- Date: Sat, 9 May 2015 14:46:17 GMT
Exploit Author: John Page (hyp3rlinx)
Website: hyp3rlinx.altervista.org/
Vendor Homepage: www.sqlbuddy.com
Version: 1.3.3
SQL Buddy is an open source web based MySQL administration application.
Advisory Information: ================== sqlbuddy suffers from directory
traversal whereby a user can move about directories an read any PHP and non PHP
files by appending the '#' hash character when requesting files via URLs. e.g.
.doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a
delimiter any non PHP will be returned and rendered by subverting the .php
concatenation used by sqlbuddy when requesting PHP pages via POST method.
Normal sqlbuddy request:
http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx> POC
Exploit payloads: ======================= 1-Read from Apache restricted
directory under htdocs:
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any
arbitrary files that do not have .PHP extensions:
http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read
phpinfo (no need for '#' as phpinfo is a PHP file):
http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo
Severity Level: =============== High
Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable
Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories &
sensitive files Solution - Fix &
Patch: ======================= N/A