PHP Webquest 2.6 - SQL Injection



EKU-ID: 4552 CVE: OSVDB-ID:
Author: jordan root Published: 2015-01-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: sql injection
# Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad=
# Date: [24/01/2015]
# Exploit Author: [jord4nroo7] anonjo@aol.com
# Vendor Homepage: [http://phpwebquest.org]
# Software Link: [http://phpwebquest.org/?page_id=14]
# Version: [phpwebquest-2.6]
# Tested on: [windows 8.1]
#Exploit: sql inhection found on phpwebquest script version 2.6 
#
  
#example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27'
  
#---------------------------
if ($_GET['id_actividad']!=''){
    $id_actividad=$_GET['id_actividad'];--------->sqlinjection here 
}else{
    $id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
    $id_pagina=$_GET['id_pagina'];
}else{
    $id_pagina='1';
    $texto_actual=$texto_alternativo;
    $imagen_actual='../imagenes/no_imagen.gif';
}
#----------------------------
<? 
session_cache_limiter('nocache,private');
session_start();
session_set_cookie_params(0, "/", $HTTP_SERVER_VARS["HTTP_HOST"], 0);
include("../include/mysql.php");
include("../include/idioma.php");
  
$base=$mysql_db; 
$c=mysql_connect($mysql_server,$mysql_login,$mysql_pass); 
mysql_select_db ($base, $c);
#para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean páginas
if ($_GET['id_actividad']!=''){
    $id_actividad=$_GET['id_actividad'];
}else{
    $id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
    $id_pagina=$_GET['id_pagina'];
}else{
    $id_pagina='1';
    $texto_actual=$texto_alternativo;
    $imagen_actual='../imagenes/no_imagen.gif';
}
 #echo "PAGINA DEL GET:".$id_pagina."<br>";
 #echo "PAGINA DEL GET:".$id_pagina."<br>";
$sentencia= "SELECT * FROM actividad WHERE id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
while($v=mysql_fetch_array($resultado)){
   foreach ($v as $indice=>$valor){
       if(!is_int($indice)){
            # echo $indice.":".$valor."<br>";
             $campo[$indice]=$valor;
               
         }
    }
}
$sentencia="select * from pagina where id_actividad=".$id_actividad." order by num_pagina asc";
$resultado=mysql_query($sentencia);
$j=1;   
while($v=mysql_fetch_array($resultado)){
  foreach ($v as $indice=>$valor){
      if(!is_int($indice)){
            #echo $indice.":".$valor."<br>";
             $campo[$j][$indice]=$valor;
               
       }
   }
    $j++;
}
for ($cont=1; $cont<=5; $cont++){
        if ($campo[$cont]['num_pagina']==$id_pagina){
            $texto_actual=$campo[$cont]['texto'];
            $imagen_actual=$campo[$cont]['imagen'];
        }   
    }
$resta=0;
$tamano_enlaces=$campo['font_size'] - $resta ;
$tamano_titulo=$campo['font_size'];
#echo $tamano_titulo;
?> 
  
  
<html>
<head>
  
<title>PHP Webquest</title>
<!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org
Programa elaborado por Antonio Temprano bajo Licencia GPL
Puede ser utilizado gratuitamente por quien quiera hacerlo con fines 
educativos y con la obligación de no quitar estas líneas de código
-->
<style>
table {
   font-family : <? echo $campo['font_face'];?>;
   font-size :  <? echo $campo['font_size'];?>;
   font-weight : normal;
   color: <? echo $campo['color_texto_principal'];?>;
a  {
   font-family : <? echo $campo['font_face'];?>;
   font-size : <? echo $campo['font_size'];?>;
   text-decoration: none;
   color: <? echo $campo['color_enlaces'];?>;
   font-weight : normal;
  
a:hover  {
   position: relative;
   top: 1px;
   left: 1px;
   font-family : <? echo $campo['font_face'];?>;
   font-size : <? echo $campo['font_size'];?>;
   text-decoration: none;
   color: <? echo $campo['color_enlaces_resaltados'];?>;
   font-weight : normal;  
}
  
div.phpwebquest { font-size : 7.5pt;}
div.phpwebquest a:link { font-size : 7.5pt;} 
div.phpwebquest a:hover { font-size : 7.5pt;} 
div.phpwebquest a { font-size : 7.5pt;};
</style> 
</head>
  
<body bgcolor="<? echo $campo['color_fondo_pagina'];?>">
<div align="center">
<table width="750" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_pagina'];?>">
    <tr>
      <td><div align="center">
  
            
          <table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_texto'];?>">
            <tr> 
              <td><table width="100%" border="0" cellspacing="1" cellpadding="0">
                  <tr> 
                    <td height="50"><div valign="middle" align="center"><h1><font color="<? echo $campo['color_texto_titulo'];?>"><? echo $campo['titulo'];?></font></h1></div></td>
                  </tr>
                  <tr> 
                                  <? if ($id_pagina==1){
                                        $titular=$introduccion;
                                        }elseif($id_pagina==2){
                                        $titular=$tareas;
                                        }elseif($id_pagina==3){
                                        $titular=$proceso;                      
                                        }elseif($id_pagina==4){
                                        $titular=$evaluacion;       
                                        }else{
                                        $titular=$conclusiones;     
                                        }                         
                                ?>
                    
                    <td height="50" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"><font color="<? echo $campo['color_texto_tipo'];?>"><div  valign="middle" align="center"><h3><? echo $titular;?></h3></div></font></td>
                  </tr>
  
                  <tr> 
                    <td><table width="100%" border="0" cellspacing="1" cellpadding="0">
                        <tr>
                          <td width="81%" valign="top"><table width="100%" height="141" border="0" cellpadding="0" cellspacing="1">
                              <tr> 
                                <td width="1%" height="139"> </td>
                                <td width="97%" valign="middle"><div align="left"> 
                                    <table width="100%" height="134" border="0" cellpadding="0" cellspacing="1">
                                      <tr> 
                                        <td width="1%" valign="top"><div align="left"><img src="<? echo $imagen_actual;?>"></div></td>
                                        <td width="2%"> </td>
  
                                        <td width="97%"><? echo $texto_actual;?><br> 
                        <table align=center width="80%" border=0 bgcolor="<? echo $campo['color_cuadro_menu'];?>">
                          
                          <? if ($id_pagina==3){
                                echo '<tr></tr>';
                                $sentencia="select url, descripcion from url where id_actividad=".$id_actividad;
                                $resultado=mysql_query($sentencia);
                                $j=1;   
                                while($v=mysql_fetch_array($resultado)){
                                  foreach ($v as $indice=>$valor){
                                     if(!is_int($indice)){
                                        if($indice=='url'){
                                            echo '<tr><td><div class="celdamenu"><a href='.$valor.' target="_blank"></div>';
                                        }else{  
                                            echo $valor."</td></tr>";
                                        }
                                         $url[$j][$indice]=$valor;
                                        }
                                    }
                                $j++;   
                                }
                            }
                            mysql_close($c);
                        ?>
                        </table>
  
                                        </td>
                                      </tr>
                                    </table>
                                  </div></td>
                                <td width="2%"> </td>
                              </tr>
                            </table></td>
  
                          <td width="15%" valign="top">
                            <table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_texto'];?>" bordercolor="#FFFFFF"><tr><td> </td></tr></table>
                            <table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_menu'];?>" bordercolor="#FFFFFF">
                               
                              <tr> 
                                <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=1"; ?>"> <? echo $enlace_introduccion; ?></a></div></td>
                              </tr>
                              <tr> 
                                <td height="1" bgcolor="#FFFFFF"></td>
                              </tr>
  
                              <tr> 
                                <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=2"; ?>"> <? echo $enlace_tareas; ?></a></div></td>
                              </tr>
                              <tr> 
                                <td height="1" bgcolor="#FFFFFF"></td>
                              </tr>
                              <tr> 
                                <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=3"; ?>"> <? echo $enlace_proceso; ?></a></font></div></td>
                              </tr>
  
                              <tr> 
                                <td height="1" bgcolor="#FFFFFF"></td>
                              </tr>
                              <tr> 
                                <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=4"; ?>"> <? echo $enlace_evaluacion; ?></a></font></div></td>
  
                              </tr>
                              <tr> 
                                <td height="1" bgcolor="#FFFFFF"></td>
                              </tr>
                              <tr> 
                                <td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=5"; ?>"> <? echo $enlace_conclusiones; ?></a></font></div></td>
                              </tr>
                            </table></td>
                        </tr>
  
                      </table></td>
                  </tr>
                </table></td>
            </tr>
            <tr>
              <td height="19">
              <table width="100%" border="0" cellspacing="1" cellpadding="0">
                  <tr>
                    <td width="55%"><div class="phpwebquest" align="right"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td>
                    <td width="45%"><div class="phpwebquest" align="left"><a href="http://www.phpwebquest.org"> PHPWebquest</a></div></td>
                  </tr>
                </table>
                </td>
            </tr>
          </table>
        </div></td>
    </tr>
  </table>
  
 </div>
</body>
</html>