If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Advanced Guestbook 2.2 -- SQL Injection Exploit  XML
Forum Index » General Discussion
Author Message
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Ktoadd wrote:Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook
Fixed.

Since you are using 2.2 and now have no entries how would you fancy trying my upgrade script which should update the SQL entries from 2.2 to 2.3.1. At worst you will just have to delete all the entries from the database but as it's blank anyway .......

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Carbonize, I'd like to try the script. How can I get it? I will be upgrading one later tonight or tomorrow... wish I'd had it yesterday.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

OK back up your current SQL database. Download www.carbonize.co.uk/install.zip and extract the file. Replace the install.php in 2.3.1 with this one. Then upload 2.3.1 to your host, preferably in a different folder to 2.2. Fill i the admin/config.php and then try the install.php. I hope it works.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Okay, Thanks!

Like I said, it will be later on tonight. I'll keep you posted.
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Carbonize, that upgrade didn't happen yet. I am doing this for someone else. - I don't know, maybe a day or two.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

No worries. Atleast I got off my arse and uploaded the thing for people to try. lol

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Carbonize, when I went to upgrade the guestbook, I found the Admin had some other tables with data in there. Didn't know what the information was for, so I decided not to upgrade the database (there were no guestbook entries). I created a new database instead. So I didn't get to try your script.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

oh well i'll have to test it myself someday.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

I was just doing a search of the forums to see when the last time the script writer actually posted was and I discovered that the SQL injection exploit was actually discovered in 2002 and reported to him, It also affected 2.3 which I assume is why he released 2.3.1. I wonder if I can't just edit the session.class.php file to fix the exploit in 2.2 and save people having to upgrade.

Somebody send me the session.class.php file from 2.2 please. Email is at the bottom of this post or on my website.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

On its way to you carb.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
bipicciuti
Newbie

Joined: 02/10/2004 21:24:38
Messages: 1
Offline

hi.....i'm a noob..welll how use this???

') OR ('a' = 'a


Sorry for my bad inglish i'm italian
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

I dont think anyone is going to explain to you on how to use an exploit.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
 
Forum Index » General Discussion
Go to:   
Based on the open source JForum