lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070712130450.9856.qmail@securityfocus.com>
Date: 12 Jul 2007 13:04:50 -0000
From: does_not_exist@...-esp.kicks-ass.net
To: bugtraq@...urityfocus.com
Subject: MkPortal - Multiple SQL Injection Vulnerabilities

We tried very hard to find wslabis mkportal SQL Injection but after ten 
minutes of "research" we decided that it is hopeless to find exactly 
the same bug and therefore we release a compilation of 
mkportal sql injections for the interested reader.
Some of them are junk because you need a moderator acc but 
the rest is exploitable by a normal user. 
Some of the bugs can lead to user defined file deletions and command-exec bugs.

Sorry wslabi but 500$ for a bug in 
this script is just a bad joke...

File: /modules/urlobox/index.php

1 . function delete_urlo() 
    $id = $mkportals->input['idurlo'];
    $DB->query("DELETE FROM mkp_urlobox WHERE id = $id");
	       
File: /modules/reviews/index.php

1.   function update_file() 
     $iden= $mkportals->input['iden'];
     $query = $DB->query("SELECT idauth FROM mkp_reviews WHERE id = $iden");
          
2.  function del_file() 
    $iden= $mkportals->input['iden'];
    $query = $DB->query( "SELECT image, author, 
    idauth FROM mkp_reviews WHERE id = $iden");

File: /modules/news/index.php

1.  function delete_news()	
     $idnews = $mkportals->input['idnews'];
     $DB->query("DELETE FROM mkp_news WHERE id = $idnews");
     
2.  function del_comment() 
     $idcomm= $mkportals->input['idcomm'];
     $DB->query("DELETE FROM mkp_news_comments 
     WHERE id = $idcomm");
     

File: /modules/gallery/index.php

1. function delete_comments()
    $idcomm= $mkportals->input['idcomm'];
    $DB->query("DELETE FROM mkp_gallery_comments 
    WHERE id = $idcomm");

2. function edit_file()
    $iden = $mkportals->input['iden'];
    $query = $DB->query( "SELECT evento, titolo, descrizione, 
    autore, idauth FROM mkp_gallery WHERE id = $iden");

3. function update_file()
   $iden= $mkportals->input['iden'];
   $query = $DB->query("SELECT idauth FROM mkp_gallery 
   WHERE id = $iden");
   
4. function del_file()
   $iden= $mkportals->input['iden'];
   $query = $DB->query( "SELECT file, autore, idauth
   FROM mkp_gallery WHERE id = $iden");
   
5. function slide_update() { 
   $ide= $mkportals->input['ide'];
   $cat = $mkportals->input['cat'];
   $query = $DB->query( "SELECT id, titolo, file FROM mkp_gallery WHERE id > $ide 
   AND evento = $cat AND validate = '1' ORDER BY 'id' LIMIT 1");

File: /modules/downloads/index.php

1. function update_file() 
   $iden= $mkportals->input['iden'];
   $query = $DB->query( "SELECT file, data, idauth, peso 
   FROM mkp_download WHERE id = $iden");
   
2. function del_file()
    $iden= $mkportals->input['iden'];
    $query = $DB->query( "SELECT file, autore, idauth 
    FROM mkp_download WHERE id = $iden");

.......

Just look for del_, edit_ or update functions and you will find more.

greetings to jmp-esp
jmp-esp.kicks-ass.net

IRC: jmp-esp.kicks-ass.net / 6667 or 6661 (ssl) #main

   

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ