Main Menu
Our Sponsors
Chi Kien Uong
Geranienstraße 30
71034 Böblingen
Deutschland / Germany
If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register /  [Login] Login 
Advanced Guestbook 2.2 -- SQL Injection Exploit  XML
Forum Index » General Discussion
Author Message
[Post New]13/08/2004 16:31:41
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
Ktoadd wrote:Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook
Fixed.

Since you are using 2.2 and now have no entries how would you fancy trying my upgrade script which should update the SQL entries from 2.2 to 2.3.1. At worst you will just have to delete all the entries from the database but as it's blank anyway .......
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]13/08/2004 22:49:12
    Subject:
[Up]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline
Carbonize, I'd like to try the script. How can I get it? I will be upgrading one later tonight or tomorrow... wish I'd had it yesterday.
[Post New]13/08/2004 23:38:43
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
OK back up your current SQL database. Download www.carbonize.co.uk/install.zip and extract the file. Replace the install.php in 2.3.1 with this one. Then upload 2.3.1 to your host, preferably in a different folder to 2.2. Fill i the admin/config.php and then try the install.php. I hope it works.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]13/08/2004 23:51:51
    Subject:
[Up]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline
Okay, Thanks!

Like I said, it will be later on tonight. I'll keep you posted.
[Post New]14/08/2004 08:59:27
    Subject:
[Up]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline
Carbonize, that upgrade didn't happen yet. I am doing this for someone else. - I don't know, maybe a day or two.
[Post New]14/08/2004 09:35:37
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
No worries. Atleast I got off my arse and uploaded the thing for people to try. lol
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]19/08/2004 03:44:23
    Subject:
[Up]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline
Carbonize, when I went to upgrade the guestbook, I found the Admin had some other tables with data in there. Didn't know what the information was for, so I decided not to upgrade the database (there were no guestbook entries). I created a new database instead. So I didn't get to try your script.
[Post New]19/08/2004 04:04:17
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
oh well i'll have to test it myself someday.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]25/09/2004 16:40:32
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
I was just doing a search of the forums to see when the last time the script writer actually posted was and I discovered that the SQL injection exploit was actually discovered in 2002 and reported to him, It also affected 2.3 which I assume is why he released 2.3.1. I wonder if I can't just edit the session.class.php file to fix the exploit in 2.2 and save people having to upgrade.

Somebody send me the session.class.php file from 2.2 please. Email is at the bottom of this post or on my website.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]25/09/2004 20:12:29
    Subject:
[Up]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline
On its way to you carb.
LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
[Post New]03/10/2004 00:58:12
    Subject:
[Up]
bipicciuti
Newbie

Joined: 02/10/2004 21:24:38
Messages: 1
Offline
hi.....i'm a noob..welll how use this???

') OR ('a' = 'a


Sorry for my bad inglish i'm italian
[Post New]03/10/2004 03:07:37
    Subject:
[Up]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline
I dont think anyone is going to explain to you on how to use an exploit.
LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
 
Forum Index » General Discussion
Go to:   
Based on the open source JForum