SQL-Injection in IP-TRACKING Mod for phpBB2.0.x

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: SQL-Injection in IP-TRACKING Mod for phpBB2.0.x
From: Cornelius Riemenschneider <c.r1@xxxxxx>
Date: Sun, 20 May 2007 19:48:06 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.0 (X11/20070326)

Information: The IP-Tracking Mod is a Extension for phpBB2.0.x whichlogs all Page hits the user of the Boards do including Referer, IP andUsername. It contains a SQL-Injection on Admin-Level. You can get itfrom:http://www.phpbb.de/viewtopic.php?t=63690&postdays=0&postorder=asc&start=0

Steps to reproduce: Go into your ACP, select under IP-TrackingIP-Search, select "no" at use wildcards and enter in Search Query whatyou want. It is direct passed through the Query. As Search Type I used IP.


PoC: enter

' UNION SELECT user_password asip,user_id,username,user_active,user_regdate,user_level,user_posts fromphpbb_users#

as Search-Query. This will display you all the hashed Userpasswords in IP

Prev by Date: phpPgAdmin-4.1.1 Remote File Include & Url Redirecting Vulnerabilitiy
Next by Date: RedLevel Advisory #021 - CubeCart v3.0.16 SQL Injection Vulnerability
Previous by thread: phpPgAdmin-4.1.1 Remote File Include & Url Redirecting Vulnerabilitiy
Next by thread: RedLevel Advisory #021 - CubeCart v3.0.16 SQL Injection Vulnerability
Index(es):
- Date
- Thread