what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ccleaguepro-auth.txt

ccleaguepro-auth.txt
Posted Jun 23, 2008
Authored by t0pp8uzz

CCLeague Pro versions 1.2 and below suffer from an insecure cookie authentication vulnerability.

tags | exploit, insecure cookie handling
SHA-256 | c7eb6ad7f2a1389689d7a52d8c8401318df90a9ff8244de0c5207ae1373298e6

ccleaguepro-auth.txt

Change Mirror Download
-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 JUNE 2008
[*] Script Download: http://castillocentral.com/
[*] DORK: "Powered by CCLeague Pro" (alot of sites removed dork, so find another)



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION:

CCLeage Pro 1.2 and all prior versions suffer from multiple insecure cookie validation vulnerabilitys.

Lets take a look at a line from the "admin.php" file from "CCLeage Pro 1.2"

CODE LINE 52 (admin.php):
if($_COOKIE['PHPSESSID'] == session_id( ) && $_COOKIE['type'] == "admin") { .. }

As we can see above, the script checks to see if a cookie is set and matches a value, as we know this is very easy to bypass by creating a cookie,
but now what above the "$_COOKIE['PHPSESSID'] == session_id( )" how do we bypass this you ask?

well in some versions this part doesnt even exist, but most hosts are running the upto date versions so we still need a way to bypass.

anyway, the php function session_id checks/returns the PHPSESSID if any, and here it is returning the sessionid, since we havent created any session
the function will return "" (not null), so all we need to do is make our PHPSESSID match this, and since its grabbing it from a cookie thats simple.

at the minute our PHPSESSID will be some random hash, so we can simply change this by overwriting the cookie.

See the javascript code below in a second to successfully exploit this.

Once you have run the javascript code in your browser, you will be able to visit the "admin.php" area without having to login, but now
you probarly see alot of errors, this is because the script attempts to load the admin preferences based on a cookie, since we dont have this cookie set
its pulling non-existent data from the mysql database.

so once again we need to set another cookie which needs to contain a existing admins email address, this should be too hard to obtain from sniffing around
the site.

here is the line of code from the admin.php which attempts to select the admin config from the db.

CODE LINE 67 (admin.php): $admininfo = mysql_query("SELECT * FROM ".$_CONF['tprefix']."administrators WHERE contact_email = '$_COOKIE[u]' LIMIT 0,1");

there is also a sql injection in the above line, if magic quotes are off, so you rippers dont bother reposting that has a seperate vulnerability.

Thats about it, Check below for the javascript code which will craft the cookies for you.

Goodluck!



[*] Vulnerability/Javascript:

javascript:document.cookie = "type=admin; path=/"; document.cookie = "PHPSESSID=; path=/"; // this will create one cookie and null the other
javascript:document.cookie = "u=admin@domain.com; path=/"; // replace the email with a existent admin email from the site, if this isnt correct your not gona get very far.



[*] NOTE/TIP:


Use the dork and find a site, navigate to the site, once at the site run the above javascript code (paste into your address bar), dont forget
to replace the email in the second javascript line.

after you have done the above steps visit the admin area at "admin.php"



[*] GREETZ:

milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !



[-] peace,

t0pP8uZz



-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close