How to patch your PhoenixPHP Injection Hole

Results 1 to 15 of 15
  1. 27-10-11 #1
    TomJacko95
    Member TomJacko95 is offline
    MemberRank
    Oct 2011 Join Date
    EnglandLocation
    97Posts

    ! How to patch your PhoenixPHP Injection Hole

    PhoenixPHP SQL Injection - YouTube

    Watch the above video, which demonstrates how I got access to a database in a few simple steps.

    HOW TO PATCH THIS
    The exploit hole is very easy to fix!

    Find:
    Code:
    <?php
			}
			
			elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
			{
				if(isset($_GET["user"]))
				{

					$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
				}
				else if(isset($_GET["ip"]))
				{

					$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
				}
				$ban = @mysql_fetch_array($query);
?>
    and replace with


    Code:
    <?php
			}
			
			elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
			{
				if(isset($_GET["user"]))
				{
					$_GET["user"] = mysql_real_escape_string($_GET["user"]);
					$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
				}
				else if(isset($_GET["ip"]))
				{
					$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
					$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
				}
				$ban = @mysql_fetch_array($query);
?>
    Simples :)
  2. Check out our sponsor
    How to patch your PhoenixPHP Injection Hole
  3. 27-10-11 #2
    NoBrain
    "(still lacks brains)" NoBrain is offline
    MemberRank
    Sep 2011 Join Date
    United KingdomLocation
    2,658Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Already been patched, by me.

    http://forum.ragezone.com/f353/phoen...it-fix-784501/
  4. 27-10-11 #3
    leenster
    [̲̅$̲̅(̲̅1̲̅)̲̅$ ̲̅] leenster is offline
    MemberRank
    May 2008 Join Date
    KanaadaLocation
    992Posts

    Re: How to patch your PhoenixPHP Injection Hole

    I also posted a fix for this months ago... But good job anyways. And yes it is a serious exploit. I would recommend everybody that uses phoenix php or any edit of it to patch it as soon as possible.
    Posted via Mobile Device
  5. 27-10-11 #4
    Law
    Garry's Mod is addictive! Law is offline
    MemberRank
    Dec 2009 Join Date
    NorwayLocation
    993Posts

    Re: How to patch your PhoenixPHP Injection Hole

    PHP Code:
    <?php
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {
                            $_GET["user"] = mysql_real_escape_string($_GET["user"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {
                            $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    Why do you make variables that doesn't even need to be there?....

    PHP Code:
    <?php
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {
                            $query mysql_query("SELECT * FROM bans WHERE value = '"mysql_real_escape_string($_GET["user"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {
                            $query mysql_query("SELECT * FROM bans WHERE value = '"mysql_real_escape_string($_GET["ip"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    Does the same thing as yours but you have created some variables that doesn't even need to be there?
  6. 27-10-11 #5
    TomJacko95
    Member TomJacko95 is offline
    MemberRank
    Oct 2011 Join Date
    EnglandLocation
    97Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by Jupos View Post
    Already been patched, by me.

    http://forum.ragezone.com/f353/phoen...it-fix-784501/
    Ah that's my fault for not searching, my bad.

    Quote Originally Posted by Law View Post
    PHP Code:
    <?php
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {
                            $_GET["user"] = mysql_real_escape_string($_GET["user"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {
                            $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    Why do you make variables that doesn't even need to be there?....

    PHP Code:
    <?php
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {
                            $query mysql_query("SELECT * FROM bans WHERE value = '"mysql_real_escape_string($_GET["user"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {
                            $query mysql_query("SELECT * FROM bans WHERE value = '"mysql_real_escape_string($_GET["ip"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    Does the same thing as yours but you have created some variables that doesn't even need to be there?
    I haven't created them? The $_GET array is already set...

    Quote Originally Posted by leenster View Post
    I also posted a fix for this months ago... But good job anyways. And yes it is a serious exploit. I would recommend everybody that uses phoenix php or any edit of it to patch it as soon as possible.
    Posted via Mobile Device
    As I said above yes, I didn't search :(

    But yes serious stuff.
  7. 27-10-11 #6
    Law
    Garry's Mod is addictive! Law is offline
    MemberRank
    Dec 2009 Join Date
    NorwayLocation
    993Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by TomJacko95 View Post
    Ah that's my fault for not searching, my bad.



    I haven't created them? The $_GET array is already set...

    PHP Code:
    $_GET["user"] = mysql_real_escape_string($_GET["user"]);                
                        
    $_GET["ip"] = mysql_real_escape_string($_GET["ip"]); 
    I mean those.
  8. 27-10-11 #7
    TomJacko95
    Member TomJacko95 is offline
    MemberRank
    Oct 2011 Join Date
    EnglandLocation
    97Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by Law View Post
    PHP Code:
    $_GET["user"] = mysql_real_escape_string($_GET["user"]);                
                        
    $_GET["ip"] = mysql_real_escape_string($_GET["ip"]); 
    I mean those.
    They are already part of the script, I haven't created them...

    When you get banned it produces an error on the index page, using the GET variables it connects to the database.

    In theory

    x = secure(x)

    I don't quite get what your trying to say...
  9. 28-10-11 #8
    Law
    Garry's Mod is addictive! Law is offline
    MemberRank
    Dec 2009 Join Date
    NorwayLocation
    993Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by TomJacko95 View Post
    They are already part of the script, I haven't created them...

    When you get banned it produces an error on the index page, using the GET variables it connects to the database.

    In theory

    x = secure(x)

    I don't quite get what your trying to say...
    Quote Originally Posted by TomJacko95 View Post
    PHP Code:
    <?php
    /* 
    Before you edited
    $_GET["user"] = mysql_real_escape_string($_GET["user"]);
    and
    $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
    is not here.
    */
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {

                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {

                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    and replace with


    PHP Code:
    <?php
    /* 
    Your edited code has
    $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
    and
    $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
    */
                    }
                
                elseif(isset(    $_GET["error"]) && $_GET["error"] == "ban")
                {
                    if(isset(    $_GET["user"]))
                    {
                            $_GET["user"] = mysql_real_escape_string($_GET["user"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                    else if(isset(    $_GET["ip"]))
                    {
                            $_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
                            $query mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
                    }
                        $ban = @mysql_fetch_array($query);
    ?>
    Simples :)
    Read the text within the markings :/* */

    Understand now?
  10. 28-10-11 #9
    Hejula
    The one and only! Hejula is offline
    MemberRank
    Nov 2008 Join Date
    4,128Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Lol'd PhoenixPHP comes with security in the core class.

    PHP Code:
    public static function EscapeStringHK($string '')
    {
        return     mysql_real_escape_string(stripslashes(trim($string)));
     } 
    So you can just do

    PHP Code:
    elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
    {
        if(isset(    $_GET["user"]))
        {
                $query mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["user"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
        }
        else if(isset(    $_GET["ip"]))
        {
                $query mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["ip"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
        }
            $ban = @mysql_fetch_array($query);
  11. 28-10-11 #10
    Fearhotel
    Enthusiast Fearhotel is offline
    MemberRank
    May 2011 Join Date
    New ZealandLocation
    40Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Maybe you should remove the Video due To N00bs Will start injecting.
  12. 28-10-11 #11
    mohje
    Account Upgraded | Title Enabled! mohje is offline
    MemberRank
    Dec 2008 Join Date
    NLLocation
    651Posts

    Re: How to patch your PhoenixPHP Injection Hole

    password 2324fge523w34t code can also do havij lol >...<

    Tut is nicee .
  13. 28-10-11 #12
    TomJacko95
    Member TomJacko95 is offline
    MemberRank
    Oct 2011 Join Date
    EnglandLocation
    97Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by Fearhotel View Post
    Maybe you should remove the Video due To N00bs Will start injecting.
    Fortunately, not many hotels are vulnerable to this kind of attack on the index page, and I'm sure noobs will be able to find any other injection holes.
  14. 28-10-11 #13
    Nesar
    Account Upgraded | Title Enabled! Nesar is offline
    MemberRank
    Aug 2011 Join Date
    Anime LandLocation
    748Posts

    Re: How to patch your PhoenixPHP Injection Hole

    You turned this thread to hack tutorial thread....
  15. 28-10-11 #14
    TomJacko95
    Member TomJacko95 is offline
    MemberRank
    Oct 2011 Join Date
    EnglandLocation
    97Posts

    angry Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by Nesar View Post
    You turned this thread to hack tutorial thread....
    It's not a hack tutorial, I don't give any instructions on how to go about this attack, details on what to use or how to use it.

    The video explains pretty much nothing.
  16. 28-10-11 #15
    Law
    Garry's Mod is addictive! Law is offline
    MemberRank
    Dec 2009 Join Date
    NorwayLocation
    993Posts

    Re: How to patch your PhoenixPHP Injection Hole

    Quote Originally Posted by Hejula View Post
    Lol'd PhoenixPHP comes with security in the core class.

    PHP Code:
    public static function EscapeStringHK($string '')
    {
        return     mysql_real_escape_string(stripslashes(trim($string)));
     } 
    So you can just do

    PHP Code:
    elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
    {
        if(isset(    $_GET["user"]))
        {
                $query mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["user"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
        }
        else if(isset(    $_GET["ip"]))
        {
                $query mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["ip"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
        }
            $ban = @mysql_fetch_array($query);

    I don't use phoenixphp and I do not intend to use phoenixphp either. So I wouldn't have known of the function :)


« Previous Thread | Next Thread »

Advertisement