hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
vnet576
Oct 7 2003, 09:10 PM
myPHPNuke auth.inc.php SQL Injection Vulnerability

Maybe someone is interested in this exploit. Its fairly new...enjoy!

CODE

myPHPNuke is a content management system written in PHP. An SQL Injection vulnerability in the product allows remote attackers to insert malicious arbitrary SQL statements into those used by the product allowing compromise of the server and database.


Details
Vulnerable systems:
* myPHPnuke version 1.8.8

Vulnerable code:
In the auth.inc.php file:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {
$q="select pwd from ".$mpnTables['authors']." where aid='$aid'";
$result=mysql_query("select pwd from ".$mpnTables['authors']." where aid='$aid'");
list($pass)=mysql_fetch_row($result);
if ($pass == $pwd) {
$pwd1 = md5($pwd);
mysql_query("update ".$mpnTables['authors']." set pwd = '$pwd1' where aid='$aid'");
$pass = $pwd1;
} else {
$pwd1 = md5($pwd);
}
if($pass == $pwd1) {
$admin = base64_encode("$aid:$pwd1");
setcookie("admin", "$admin", time()+2592000, "", "", ""); // 1 mo is 2592000
}
}
}

As you can see $aid is not checked. Therefore, you can run the query like:
select pwd from mpn_authors where aid='mad' into outfile '/filepath/file.txt'

When you enter:
aid=mad' into outfile '/filepath/file.txt

Workaround:
This vulnerability will not work if magic_quotes_gpc is set to on.

Fix:
Find the line:
if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {
if($aid!="" AND $pwd!="") {

And add to it:
$aid=addslashes($aid);
pedraM
Oct 8 2003, 07:02 PM
thanks but how could we user this exploit? sorry i am newbie
vnet576
Oct 8 2003, 07:43 PM
QUOTE (pedraM @ Oct 8 2003, 07:02 PM)
thanks but how could we user this exploit? sorry i am newbie

I've never researched SQL injection vulnerabilities before so I can't help you on how to use them. However other members have done sql injection so they might be able to help you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.