By exploitdb papers bot•April 26, 2010•
papers
Exploiting 2DayBiz Advanced Poll Script: Authentication Bypass and XSS

Exploiting 2DayBiz Advanced Poll Script: Authentication Bypass and XSS
What this paper is
This paper details two vulnerabilities found in the "Advanced Poll" script by 2daybiz.com:
- Authentication Bypass: Allows unauthorized access to both user and administrator sections of the script.
- Cross-Site Scripting (XSS): Allows for the injection of malicious scripts into the search functionality.
The paper was published by Sid3^effects on April 26, 2010.
Simple technical breakdown
The script suffers from two main weaknesses:
- Authentication Bypass: The login mechanism doesn't properly validate user input. By providing a specific string (
' or 1=1 or ''=') in either the username or password field, an attacker can trick the script into thinking the login is valid, bypassing the authentication check. This is a classic SQL injection technique applied to a login form. - XSS: The search functionality in
index_search.phpdoes not sanitize user input. An attacker can inject HTML or JavaScript code into thecategoryparameter, which is then reflected back to the user's browser, potentially leading to session hijacking, defacement, or other malicious actions.
Complete code and payload walkthrough
The provided paper does not contain any executable code or shellcode. It describes the vulnerabilities and provides attack patterns.
Authentication Bypass Payload:
' or 1=1 or ''='- Purpose: This string is designed to manipulate SQL queries that are likely used for authentication.
- Breakdown:
': This likely closes an existing string literal in the SQL query.or 1=1: This condition is always true. If appended to a query, it makes the entireWHEREclause evaluate to true, allowing any user to log in.or ''=': This part is a bit redundant but ensures compatibility with different SQL query structures or potential sanitization attempts. It also evaluates to true.
- Mapping:
' or 1=1 or ''='-> Authentication bypass payload.
XSS Attack Pattern:
'"-->- Purpose: This pattern is used to break out of existing HTML tags and inject new HTML or JavaScript.
- Breakdown:
": This likely closes an HTML attribute value.': This likely closes another HTML attribute value or a string within JavaScript.-->: This closes an HTML comment. Once a comment is closed, any subsequent HTML or JavaScript code will be interpreted by the browser.
- Mapping:
'"-->-> XSS injection payload.
Note: The paper does not provide the actual vulnerable PHP code or the specific SQL queries being manipulated. The explanation above is based on common patterns for these types of vulnerabilities.
Practical details for offensive operations teams
- Required Access Level: Low (unauthenticated user).
- Lab Preconditions:
- A deployed instance of the "Advanced Poll" script (version vulnerable to these issues).
- Access to the web server hosting the script.
- A web browser for testing.
- Tooling Assumptions:
- Web browser.
- Proxy tool (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
- Basic understanding of SQL injection and XSS.
- Execution Pitfalls:
- Authentication Bypass:
- The exact SQL query structure might vary, requiring slight modifications to the payload.
- Web Application Firewalls (WAFs) might detect and block the payload.
- The script might have been patched by the vendor or a system administrator.
- XSS:
- The
categoryparameter might be URL-encoded, requiring the attacker to encode their payload. - The reflected output might be filtered or sanitized by the server-side script, preventing successful injection.
- The injected script might not execute if the user's browser has JavaScript disabled or specific security settings.
- The
index_search.phpscript might not be accessible or might have different parameters.
- The
- Authentication Bypass:
- Tradecraft Considerations:
- Reconnaissance: Identify the specific version of the "Advanced Poll" script being used. Check for
robots.txtor directory listings that might reveal admin paths. - Enumeration: Test login forms for common vulnerabilities. Use a proxy to observe how search queries are processed.
- Payload Crafting: For XSS, tailor payloads to bypass filters and achieve the desired outcome (e.g., stealing cookies, redirecting users). For authentication bypass, experiment with variations of the SQL injection string.
- Post-Exploitation (Auth Bypass): Once authenticated as admin, explore the admin panel for further vulnerabilities or sensitive information.
- Post-Exploitation (XSS): If successful, the injected script can be used to capture user credentials, session tokens, or redirect users to malicious sites.
- Reconnaissance: Identify the specific version of the "Advanced Poll" script being used. Check for
Where this was used and when
- Context: This vulnerability would be exploited against websites that have integrated the "Advanced Poll" script into their web applications.
- Approximate Years/Dates: The paper was published in 2010. Therefore, this vulnerability was likely actively exploited around that time and in the years immediately following, until patches were applied or the script was no longer in use.
Defensive lessons for modern teams
- Input Validation is Paramount: Never trust user input. All data received from the client-side must be rigorously validated and sanitized before being used in database queries or rendered in HTML.
- Parameterized Queries/Prepared Statements: For database interactions, always use parameterized queries or prepared statements. This is the most effective defense against SQL injection.
- Output Encoding: When displaying user-supplied data in HTML, always encode it appropriately to prevent XSS. For example, convert characters like
<,>,&, and"into their HTML entities (<,>,&,"). - Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide a layer of defense by detecting and blocking known malicious patterns. However, they can be bypassed.
- Regular Patching and Updates: Keep all web applications and their components updated to the latest secure versions.
- Security Audits and Code Reviews: Regularly audit web application code for common vulnerabilities like SQL injection and XSS.
- Principle of Least Privilege: Ensure that user accounts and administrative interfaces have the minimum necessary privileges.
ASCII visual (if applicable)
This paper describes web application vulnerabilities, and a simple flow diagram can illustrate the attack vectors.
+-----------------+ +--------------------+ +-----------------+
| Attacker's |----->| Web Application |----->| Target System |
| Browser | | (Advanced Poll) | | (Server) |
+-----------------+ +--------------------+ +-----------------+
^ |
| | (Vulnerable Login)
| v
| +-----------------+
| | Authentication |
| | Bypass Payload |
| | (' or 1=1 or '')|
| +-----------------+
|
| (Vulnerable Search)
v
+-----------------+
| XSS Payload |
| ('"-->) |
+-----------------+Explanation:
- The attacker interacts with the web application.
- For authentication bypass, a specially crafted string is sent to the login form, which is then processed by the application's authentication logic, leading to unauthorized access.
- For XSS, a malicious string is sent to the search functionality. If not properly sanitized, this string is reflected back to the user's browser, executing the injected script.
Source references
- Paper Title: 2DayBiz Advanced Poll Script - Cross-Site Scripting / Authentication Bypass
- Author: Sid3^effects
- Published: 2010-04-26
- Paper URL: https://www.exploit-db.com/papers/12395
- Vendor: http://www.2daybiz.com/
Original Exploit-DB Content (Verbatim)
______________________________________________________________________________
XSS and Authentication bypass in Advanced Poll Script
Vendor:http://www.2daybiz.com/ ___________________________Author:Sid3^effects_________________________________
Description :
Advanced Poll is a polling system with powerful administration tool supports both text file and MySQL database. Its features include multiple polls, unlimited options, IP-Logging, IP-Locking, cookie support, comment feature, vote expire feature, and random poll support.
script cost :$140
---------------------------------------------------------------------------
* Authentication bypass:
The following script has authentication bypass in the admin login as well as in user login
use ' or 1=1 or ''=' in both login and password.
user login demo :http://server/polls/login.php
admin login demo: http://server/polls/admin/
---------------------------------------------------------------------------
* XSS (cross site scripting ) :
XSS is also found in the search field.
Attack Pattern: '"-->
DEMO:http://server/polls/index_search.php?category= [XSS]
---------------------------------------------------------------------------
ShoutZ :
-------
---Indian Cyber warriors--Andhra hackers--
Greetz :
--------
---*L0rd ÇrusAdêr*---d4rk-blu™® [ICW]---R45C4L idi0th4ck3r---CR4C|< 008---M4n0j--MayUr--