Google Groups Home
Help | Sign in
Lostmonīs Group
Home
+ new post
Pages
Files
About this group
Join this group
Posible patch for SQL Injections In bcoos 1.0.10
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post will appear after it is approved by moderators
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Lostmon  
View profile  
 More options Dec 2 2007, 2:22 pm
From: Lostmon <lost...@gmail.com>
Date: Sun, 2 Dec 2007 20:22:23 +0100
Local: Sun, Dec 2 2007 2:22 pm
Subject: Posible patch for SQL Injections In bcoos 1.0.10
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
 Posible patch for SQL Injections In bcoos 1.0.10

CVE-2007-5104
CVE-2007-6079
CVE-2007-6080

#######################################################
Posible patch for SQL Injections In bcoos 1.0.10
vendor url:http://www.bccos.net
Patch by Lostmon. (lost...@gmail.com)
Original article:http://lostmon.blogspot.com/2007/12/
posible-patch-for-sql-injections-in.html
#######################################################

in the last week some researchers and me have found multiple
critical SQL injections in bcoops 1.0.10 and prior versions.

After a simple study/look of the source code of product
i have found a simple patch , this is not a oficial patch but it
still working fine ,before the vendor release a oficial patch or
a new release.

You can use this modification as a solution to mitigate all
SQL injections , only need to detect 'union' sql command.

##########################
Sample code
##########################
you need to add this code to all afected files ...

if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) ||
eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*",
$lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();

}

###########################
patch mylinks/ratelink.php
############################

open ratelink.php and arround line 73 you have a 'else' like } else {

put the code just before the else condition like :

}

if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) ||
eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*",
$lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

else {

save and close the file and now itīs pached
try to exploit for verify :

http://localhost/bcoops/modules/mylinks/ratelink.php?lid=
-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch adresses/ratefile.php
##############################

open ratefile.php and arround line 70 you have a else like } else {

put the code just before the else condition like :

}

if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) ||
eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*",
$lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

else {

save and close the file and now itīs pached
try to exploit for verify :

http://localhost/bcoops/modules/adresses/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch mysections/ratefile.php
##############################

open ratefile.php and arround line 77 you have a else like } else {

put the code just before the else condition like :

}

if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) ||
eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*",
$lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

else {

save and close the file and now itīs pached
try to exploit for verify :

http://localhost/bcoops/modules/mysections/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

you can patch all of the rate files with the same code, because
for rating the code and funcions are similars in diferent modules.

####################### €nd ################################

thnx to estrella to be my ligth.
thnx to all Lostmon Group Team !!
Thnx To All OSVDB manglers !!! Waiting for OSVDB 2.0 !!!
Thnx To orinico i know how can i do :D

--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Lostmon  
View profile  
 More options Dec 3 2007, 3:08 pm
From: Lostmon <lost...@gmail.com>
Date: Mon, 3 Dec 2007 21:08:56 +0100
Local: Mon, Dec 3 2007 3:08 pm
Subject: Re: Posible patch for SQL Injections In bcoos 1.0.10
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
patch for banners/click.php sql injection in bcoos 1.0.10

at this moment  only arcade module is vulnerable to sql injectios...
but after a study in arcade module i think that cat_id variable is
prone vulnerable to sql injectios too

http://localhost/modules/arcade/index.php?act=show_cat&cat_id=8 or 1=1
this list all categories whithout any error. but if we try to inject a
real time exploit like

-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

does not work , ummmm

############################
patch banners/click.php
############################

open click.php and arround line 5 you have $bid = $_GET['bid'];

put the code just after the this line :

}

if (eregi("%20union%20", $bid) ||eregi(" union ", $bid) ||
eregi("\*union\*", $bid) || eregi("\+union\+", $bid) || eregi("\*",
$bid))
    {
        echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
        redirect_header("index.php");
        die();

}

save and close the file and now itīs pached
try to exploit for verify :

http://localhost/bcoops/modules/banners/click.php?
bid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

######################################################

--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
lost...@gmail.com  
View profile  
 More options Dec 4 2007, 2:20 pm
From: Lost...@gmail.com
Date: Tue, 4 Dec 2007 11:20:29 -0800 (PST)
Local: Tues, Dec 4 2007 2:20 pm
Subject: Re: Posible patch for SQL Injections In bcoos 1.0.10
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hello !!

now patch arcade module ...

###########################
patch arcade/index.php
############################

open index.php and arround line 15 you have a switch($act)

put the code just before the switch

if (eregi("%20union%20", $gid) ||eregi(" union ", $gid) ||
eregi("\*union\*", $gid) || eregi("\+union\+", $gid) || eregi("\*",
$gid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL
injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();

}

try to exploit it :

http://localhost/bcoops/modules/arcade/index.php?act=show_stats&gid=-...

or

http://localhost/bcoops/modules/arcade/index.php?act=play_game&gid=-1...

And now all have a emergency patch for all sql injections published in
this product :)))

--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google