// --- WWWThread RC 3 MultBugs --- //
* D3vil-0x1 | Devil-00
* www.securitygurus.net
* Gr33tz
- HACKERS PAL | n0m3rcy | -
&
All Others << i forgot them :))
//---------------------------------//
//---------------------------------// [ Bug 1 ] //---------------------------------//
// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection
/* Code
//
if(isset($_COOKIE["forumreferrer"]))
{
$referral_id = $_COOKIE["forumreferrer"];
$result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
list($referral_val) = $db->fetch_row($result);
$rval = $referral_val[0] + 1;
$db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$ referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
}
//
*/
Fix :-
/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/
//---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------//
//---------------------------------// [ Bug 2 ] //---------------------------------//
// File name :- message_list.php
// Bug :- Remote SQL Injection
/* Code
if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner= ''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error());
redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
}
*/
// Fix :-
Replace with this code :D
if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
if( isset($_POST['delete_messages_comply']) )
{
confirm_referrer('message_list.php');
$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner= ''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error());
redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
}
// Exploit
- Resend This Requsit By HTTPLiveHeaders :D -
messages=[SQL]&box=0&delete_messages_comply=Delete