Free Arcade Script 1.0 - Authentication Bypass / Arbitrary File Upload

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057581 漏洞类型
发布时间 2009-03-23 更新时间 2009-03-23
漏洞平台 PHP CVSS评分 N/A
| Web Application : Free Arcade Script 1.0                                 |
| Homepage        :                        |
| Vulnerability   : SQL Injection + Remote PHP file upload                 |
| Author          : Mr.Skonnie                                             |
| Contact         :                                   |

Stage I - Login as administrator to the CMS:
login.php authentication code :

	$username = clean($_POST['username']);
	$password = md5($_POST['password']);
	$r = $db->query(sprintf('SELECT userid FROM dd_users WHERE username=\'%s\' AND password=\'%s\'', $username, $password));
		echo '<div class=\'error\'>User account does not exist.</div>';
		include ('templates/'.$template.'/footer.php');
		$ir = $db->fetch_row($r);
		$_SESSION['username'] = $username;
		$_SESSION['userid']= $ir['userid'];
		echo '<div class=\'msg\'>You\'ve now logged on.</div>';
The user name is not checked before being used in the sql query so we can inject ' or 1 or username=' as the user name and get in as admin.

Stage II - Uploading a php shell to the server:
Once logged in as admin, the Admin panel is enabled.
Add a new self hosted game and when asked for "Thumb File" and "SWF Game File", choose your php shell file (or any other file you want to upload to the server).
The file you uploaded is now saved in the "games directory" and "thumbs directory".
To find out where they are located, choose "Site Settings" from the Admin panel.

# [2009-03-23]