WWWThread RC 3 MultBugs

o.y.6@xxxxxxxxxxx · 19 Apr 2006 19:01:08 -0000



[code]// --- WWWThread RC 3 MultBugs --- //

	* D3vil-0x1 | Devil-00
    * www.securitygurus.net
    * Gr33tz
    	- HACKERS PAL | n0m3rcy | -

            	&
                		All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] //---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
	//
if(isset($_COOKIE["forumreferrer"]))
	{
		$referral_id = $_COOKIE["forumreferrer"];
		$result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) 		  or error(mysql_error(), __FILE__, __LINE__, $db->error());
		list($referral_val) = $db->fetch_row($result);
		$rval = $referral_val[0] + 1;
		$db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$				  referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
	}
    //
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/


//---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------//

//---------------------------------//  [ Bug 2 ] //---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner=			\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner=			\''.$forum_user['id'].'\'') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

// Exploit

- Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
[/code]