exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ccleaguepro-auth.txt

ccleaguepro-auth.txt
Posted Jun 23, 2008
Authored by t0pp8uzz

CCLeague Pro versions 1.2 and below suffer from an insecure cookie authentication vulnerability.

tags | exploit, insecure cookie handling
SHA-256 | c7eb6ad7f2a1389689d7a52d8c8401318df90a9ff8244de0c5207ae1373298e6

ccleaguepro-auth.txt

Change Mirror Download
-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-



[*] Discovered By: t0pP8uZz
[*] Discovered On: 19 JUNE 2008
[*] Script Download: http://castillocentral.com/
[*] DORK: "Powered by CCLeague Pro" (alot of sites removed dork, so find another)



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION:

CCLeage Pro 1.2 and all prior versions suffer from multiple insecure cookie validation vulnerabilitys.

Lets take a look at a line from the "admin.php" file from "CCLeage Pro 1.2"

CODE LINE 52 (admin.php):
if($_COOKIE['PHPSESSID'] == session_id( ) && $_COOKIE['type'] == "admin") { .. }

As we can see above, the script checks to see if a cookie is set and matches a value, as we know this is very easy to bypass by creating a cookie,
but now what above the "$_COOKIE['PHPSESSID'] == session_id( )" how do we bypass this you ask?

well in some versions this part doesnt even exist, but most hosts are running the upto date versions so we still need a way to bypass.

anyway, the php function session_id checks/returns the PHPSESSID if any, and here it is returning the sessionid, since we havent created any session
the function will return "" (not null), so all we need to do is make our PHPSESSID match this, and since its grabbing it from a cookie thats simple.

at the minute our PHPSESSID will be some random hash, so we can simply change this by overwriting the cookie.

See the javascript code below in a second to successfully exploit this.

Once you have run the javascript code in your browser, you will be able to visit the "admin.php" area without having to login, but now
you probarly see alot of errors, this is because the script attempts to load the admin preferences based on a cookie, since we dont have this cookie set
its pulling non-existent data from the mysql database.

so once again we need to set another cookie which needs to contain a existing admins email address, this should be too hard to obtain from sniffing around
the site.

here is the line of code from the admin.php which attempts to select the admin config from the db.

CODE LINE 67 (admin.php): $admininfo = mysql_query("SELECT * FROM ".$_CONF['tprefix']."administrators WHERE contact_email = '$_COOKIE[u]' LIMIT 0,1");

there is also a sql injection in the above line, if magic quotes are off, so you rippers dont bother reposting that has a seperate vulnerability.

Thats about it, Check below for the javascript code which will craft the cookies for you.

Goodluck!



[*] Vulnerability/Javascript:

javascript:document.cookie = "type=admin; path=/"; document.cookie = "PHPSESSID=; path=/"; // this will create one cookie and null the other
javascript:document.cookie = "u=admin@domain.com; path=/"; // replace the email with a existent admin email from the site, if this isnt correct your not gona get very far.



[*] NOTE/TIP:


Use the dork and find a site, navigate to the site, once at the site run the above javascript code (paste into your address bar), dont forget
to replace the email in the second javascript line.

after you have done the above steps visit the admin area at "admin.php"



[*] GREETZ:

milw0rm.com, h4ck-y0u.org, Offensive-Security.com, CipherCrew !



[-] peace,

t0pP8uZz



-[*]+================================================================================+[*]-
-[*]+ CCLeague Pro <= 1.2 Insecure Cookie Authentication Vulnerability +[*]-
-[*]+================================================================================+[*]-

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close