exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ccleaguepro-auth.txt

ccleaguepro-auth.txt
Posted Jun 23, 2008
Authored by t0pp8uzz

CCLeague Pro versions 1.2 and below suffer from an insecure cookie authentication vulnerability.

tags | exploit, insecure cookie handling
SHA-256 | c7eb6ad7f2a1389689d7a52d8c8401318df90a9ff8244de0c5207ae1373298e6

ccleaguepro-auth.txt

Change Mirror Download
-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 JUNE 2008
[*] Script Download: http://castillocentral.com/
[*] DORK: "Powered by CCLeague Pro" (alot of sites removed dork, so find another)



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION:

CCLeage Pro 1.2 and all prior versions suffer from multiple insecure cookie validation vulnerabilitys.

Lets take a look at a line from the "admin.php" file from "CCLeage Pro 1.2"

CODE LINE 52 (admin.php):
if($_COOKIE['PHPSESSID'] == session_id( ) && $_COOKIE['type'] == "admin") { .. }

As we can see above, the script checks to see if a cookie is set and matches a value, as we know this is very easy to bypass by creating a cookie,
but now what above the "$_COOKIE['PHPSESSID'] == session_id( )" how do we bypass this you ask?

well in some versions this part doesnt even exist, but most hosts are running the upto date versions so we still need a way to bypass.

anyway, the php function session_id checks/returns the PHPSESSID if any, and here it is returning the sessionid, since we havent created any session
the function will return "" (not null), so all we need to do is make our PHPSESSID match this, and since its grabbing it from a cookie thats simple.

at the minute our PHPSESSID will be some random hash, so we can simply change this by overwriting the cookie.

See the javascript code below in a second to successfully exploit this.

Once you have run the javascript code in your browser, you will be able to visit the "admin.php" area without having to login, but now
you probarly see alot of errors, this is because the script attempts to load the admin preferences based on a cookie, since we dont have this cookie set
its pulling non-existent data from the mysql database.

so once again we need to set another cookie which needs to contain a existing admins email address, this should be too hard to obtain from sniffing around
the site.

here is the line of code from the admin.php which attempts to select the admin config from the db.

CODE LINE 67 (admin.php): $admininfo = mysql_query("SELECT * FROM ".$_CONF['tprefix']."administrators WHERE contact_email = '$_COOKIE[u]' LIMIT 0,1");

there is also a sql injection in the above line, if magic quotes are off, so you rippers dont bother reposting that has a seperate vulnerability.

Thats about it, Check below for the javascript code which will craft the cookies for you.

Goodluck!



[*] Vulnerability/Javascript:

javascript:document.cookie = "type=admin; path=/"; document.cookie = "PHPSESSID=; path=/"; // this will create one cookie and null the other
javascript:document.cookie = "u=admin@domain.com; path=/"; // replace the email with a existent admin email from the site, if this isnt correct your not gona get very far.



[*] NOTE/TIP:


Use the dork and find a site, navigate to the site, once at the site run the above javascript code (paste into your address bar), dont forget
to replace the email in the second javascript line.

after you have done the above steps visit the admin area at "admin.php"



[*] GREETZ:

milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !



[-] peace,

t0pP8uZz



-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close