How to patch your PhoenixPHP Injection Hole
PhoenixPHP SQL Injection - YouTube
Watch the above video, which demonstrates how I got access to a database in a few simple steps.
HOW TO PATCH THIS
The exploit hole is very easy to fix!
Find:
Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
and replace with
Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Simples :)
Re: How to patch your PhoenixPHP Injection Hole
Re: How to patch your PhoenixPHP Injection Hole
I also posted a fix for this months ago... But good job anyways. And yes it is a serious exploit. I would recommend everybody that uses phoenix php or any edit of it to patch it as soon as possible.
Posted via Mobile Device
Re: How to patch your PhoenixPHP Injection Hole
PHP Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Why do you make variables that doesn't even need to be there?....
PHP Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '". mysql_real_escape_string($_GET["user"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '". mysql_real_escape_string($_GET["ip"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Does the same thing as yours but you have created some variables that doesn't even need to be there?
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
Jupos
Ah that's my fault for not searching, my bad.
Quote:
Originally Posted by
Law
PHP Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Why do you make variables that doesn't even need to be there?....
PHP Code:
<?php
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '". mysql_real_escape_string($_GET["user"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '". mysql_real_escape_string($_GET["ip"]) ."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Does the same thing as yours but you have created some variables that doesn't even need to be there?
I haven't created them? The $_GET array is already set...
Quote:
Originally Posted by
leenster
I also posted a fix for this months ago... But good job anyways. And yes it is a serious exploit. I would recommend everybody that uses phoenix php or any edit of it to patch it as soon as possible.
Posted via Mobile Device
As I said above yes, I didn't search :(
But yes serious stuff.
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
TomJacko95
Ah that's my fault for not searching, my bad.
I haven't created them? The $_GET array is already set...
PHP Code:
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
I mean those.
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
Law
PHP Code:
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
I mean those.
They are already part of the script, I haven't created them...
When you get banned it produces an error on the index page, using the GET variables it connects to the database.
In theory
x = secure(x)
I don't quite get what your trying to say...
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
TomJacko95
They are already part of the script, I haven't created them...
When you get banned it produces an error on the index page, using the GET variables it connects to the database.
In theory
x = secure(x)
I don't quite get what your trying to say...
Quote:
Originally Posted by
TomJacko95
PHP Code:
<?php
/*
Before you edited
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
and
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
is not here.
*/
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
and replace with
PHP Code:
<?php
/*
Your edited code has
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
and
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
*/
}
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$_GET["user"] = mysql_real_escape_string($_GET["user"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["user"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$_GET["ip"] = mysql_real_escape_string($_GET["ip"]);
$query = mysql_query("SELECT * FROM bans WHERE value = '".$_GET["ip"]."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
?>
Simples :)
Read the text within the markings :/* */
Understand now?
Re: How to patch your PhoenixPHP Injection Hole
Lol'd PhoenixPHP comes with security in the core class.
PHP Code:
public static function EscapeStringHK($string = '')
{
return mysql_real_escape_string(stripslashes(trim($string)));
}
So you can just do
PHP Code:
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["user"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["ip"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
}
Re: How to patch your PhoenixPHP Injection Hole
Maybe you should remove the Video due To N00bs Will start injecting.
Re: How to patch your PhoenixPHP Injection Hole
password 2324fge523w34t code can also do havij lol >...<
Tut is nicee .
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
Fearhotel
Maybe you should remove the Video due To N00bs Will start injecting.
Fortunately, not many hotels are vulnerable to this kind of attack on the index page, and I'm sure noobs will be able to find any other injection holes.
Re: How to patch your PhoenixPHP Injection Hole
You turned this thread to hack tutorial thread....
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
Nesar
You turned this thread to hack tutorial thread....
It's not a hack tutorial, I don't give any instructions on how to go about this attack, details on what to use or how to use it.
The video explains pretty much nothing.
Re: How to patch your PhoenixPHP Injection Hole
Quote:
Originally Posted by
Hejula
Lol'd PhoenixPHP comes with security in the core class.
PHP Code:
public static function EscapeStringHK($string = '')
{
return mysql_real_escape_string(stripslashes(trim($string)));
}
So you can just do
PHP Code:
elseif(isset($_GET["error"]) && $_GET["error"] == "ban")
{
if(isset($_GET["user"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["user"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
else if(isset($_GET["ip"]))
{
$query = mysql_query("SELECT * FROM bans WHERE value = '".$core->EscapeStringHK($_GET["ip"])."' AND expire > UNIX_TIMESTAMP() ORDER BY expire DESC LIMIT 1");
}
$ban = @mysql_fetch_array($query);
}
I don't use phoenixphp and I do not intend to use phoenixphp either. So I wouldn't have known of the function :)