Language : PHP

Script : http://www.myphpnuke.com 1.8.8 

Problem : SQL Injection

Description : myphpnuke is a widely used Content Managemnt System.



Problem :



In auth.inc.php file,



*********************

if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {

if($aid!="" AND $pwd!="") {

$q="select pwd from ".$mpnTables['authors']." where aid='$aid'";

$result=mysql_query("select pwd from ".$mpnTables['authors']." where aid='$aid'");

list($pass)=mysql_fetch_row($result);

if ($pass == $pwd) {

$pwd1 = md5($pwd);

mysql_query("update ".$mpnTables['authors']." set pwd = '$pwd1' where aid='$aid'");

$pass = $pwd1;

} else {

$pwd1 = md5($pwd);

}

if($pass == $pwd1) {

$admin = base64_encode("$aid:$pwd1");

setcookie("admin", "$admin", time()+2592000, "", "", ""); // 1 mo is 2592000

}

}

}

********************



Here the $aid is not checked. If you open the page like,



Therefore you can run the query like,



select pwd from mpn_authors where aid='mad' into outfile '/filepath/file.txt'



when you enter 

aid=mad' into outfile '/filepath/file.txt



This will not work if magic_quotes_gpc is on.



Fix : 



Find the line

**********

if ((isset($aid)) && (isset($pwd)) && ($op == "login")) {

if($aid!="" AND $pwd!="") {

**********



Add



**********

$aid=addslashes($aid);

**********



Credit :

lifofifo & hackingzone.org