Latest posts for the topic "Advanced Guestbook 2.2 -- SQL Injection Exploit"

Advanced Guestbook 2.2 -- SQL Injection Exploit

Jam'n — GMT

I found out that Advanced Guestbook 2.2 appears vulnerable to SQL Injection granting the attacker administrator access. The attack is very simple and consists of inputting a special password string leaving the username entry blank:

So I suggest you upgrade to the latest version.

Guestbook Hack

xavior93 — GMT

This guestbook is very hackable. Yesterday as a matter of fact, some guy in poland hacked the guestbook which gave him the ability to change and remove files off my webserver. He was a persistant little bugger. He made my day very interesting. The guys name is Andrzej Bilski <3tc69@wp.pl> from http://republika.pl. So just watch out, it'll make your day very interesting.

fireman949 — GMT

How exploitable is the latest version - 2.3.1?

Jam'n — GMT

No kown exploits yet (as far as I know).

exploitable 2.3.1 ??

becki — GMT

hello,

hmh ... i'm not sure if the version 2.3.1 isn't open for the exploit with the empty username and the password ') OR ('a' = 'a

well ... i mean even http://proxy2.de/guestbook/admin.php is secured with a .htaccess file !! there must be a reason for it, isn't it ??

i could gain access on SOME guestbooks on the internet runing the version 2.3.1 .... but this wasn't possible EVERY time ! sometimes the exploit just worked and other times it doesn't !! strange behaviour

anyway ... developed a security patch for this exploit a couple of days ago and just thought it might be worth posting here and let other people know about

sooo ...check out this link => http://www.beckspaced.com/gb_fix/index.php

hope this helps a bit

all the best
becki

JTD — GMT

So waht you are saying is just double password and login protect it. Correct??? Also does your patch work on version 2.2???

becki — GMT

so what am I trying to say ?? everything quite easy first go and read all the stuff written at http://www.beckspaced.com/gb_fix/index.php ! there's all the info you should need

then ... you don't need to double protect your guestbook ! just decide for which you want to go >

1.) protect via .htaccess file
2.) install the patch !

either one of those should work fine

about the version i'm not sure i just downloaded the latest version from http://proxy2.de and therefore i suppose it's version 2.3.1 !!

as i don't have any older version like 2.2 i don't recmommend to install the patch on a 2.2 version ! better upgrade to 2.3.1 and then install the patch !

or pass me the old 2.2. version so i can have a look on how to secure this thing

hope this helps
becki

Jam'n — GMT

Seems the Exploit was posible thru a bug in the php version you use.
So if your hosting company has the latest version than the bug doesn't work.

Carbonize — GMT

I've just done a search on Google for "advanced guestbook 2.2" and every site i found I could log in on. Some had been hacked so I fixed them and I cleaned up the spam in others. I am running 2.3.1 on PHP 4.3.4 so I am safe as this seems to have fixed the magic quotes problem. I would highly recommend updating to 2.3.1 and hassling your webhost about updating their PHP version. In the meantime I suggest either protecting your admin.php with .htaccess as has been suggested or simply renaming it and removing the link to it from the guestbook. After all if they can't find it they can't exploit it.

becki — GMT

well ... also went on a search on google.com a while ago and searched for guestbooks open for the exploit !
then i also found some version 2.3.1 guestbooks runing PHP version up to 4.3.7 which were still open for the exploit !!!

also posted a bug report on http://bugs.php.net/bug.php?id=28906 but so far this report is still OPEN !! for weeks now

so .. protect your admin.php file with .htaccess file ..... or rename it ... not a good solution .... or install the patch which can be found at http://www.beckspaced.com/gb_fix/index.php

in the meantime .. have fun & enjoy life to its best

becki

Carbonize — GMT

Hmmm I don't have a copy of 2.2 but I wonder if we couldn't put in a simple

[code]if ($password = "') OR ('a' = 'a") die ('Nice try ;-)');[/code]

Carbonize — GMT

or more likely look for "') OR ('a' = 'a" in the supplied password or trim($password)

Carbonize — GMT

I have just set my guestbook up to post a nice message if anyone tries to use the exploit password it also logs their details.

Ktoadd — GMT

Hi guys, was reading through some of these hacking posts....

Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook

Someone told me to just go with dreambook... Or should I upgrade, and the problem will be solved? What would you guys suggest, I'm not even sure how to upgrade.

Thanks a lot for any help... I'm sure you get tired of the same questions... Sorry..

amber222 — GMT

Trevor has supplied the info here:

http://proxy2.de/forum/viewtopic.php?t=3475

Carbonize — GMT

[quote="Ktoadd"]Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook[/quote] Fixed.

Since you are using 2.2 and now have no entries how would you fancy trying my upgrade script which should update the SQL entries from 2.2 to 2.3.1. At worst you will just have to delete all the entries from the database but as it's blank anyway .......

amber222 — GMT

Carbonize, I'd like to try the script. How can I get it? I will be upgrading one later tonight or tomorrow... wish I'd had it yesterday.

Carbonize — GMT

OK back up your current SQL database. Download www.carbonize.co.uk/install.zip and extract the file. Replace the install.php in 2.3.1 with this one. Then upload 2.3.1 to your host, preferably in a different folder to 2.2. Fill i the admin/config.php and then try the install.php. I hope it works.

amber222 — GMT

Okay, Thanks!

Like I said, it will be later on tonight. I'll keep you posted.

amber222 — GMT

Carbonize, that upgrade didn't happen yet. I am doing this for someone else. - I don't know, maybe a day or two.

Carbonize — GMT

No worries. Atleast I got off my arse and uploaded the thing for people to try. lol

amber222 — GMT

Carbonize, when I went to upgrade the guestbook, I found the Admin had some other tables with data in there. Didn't know what the information was for, so I decided not to upgrade the database (there were no guestbook entries). I created a new database instead. So I didn't get to try your script.

Carbonize — GMT

oh well i'll have to test it myself someday.

Carbonize — GMT

I was just doing a search of the forums to see when the last time the script writer actually posted was and I discovered that the SQL injection exploit was actually discovered in 2002 and reported to him, It also affected 2.3 which I assume is why he released 2.3.1. I wonder if I can't just edit the session.class.php file to fix the exploit in 2.2 and save people having to upgrade.

Somebody send me the session.class.php file from 2.2 please. Email is at the bottom of this post or on my website.

JTD — GMT

On its way to you carb.

bipicciuti — GMT

hi.....i'm a noob..welll how use this???

') OR ('a' = 'a

Sorry for my bad inglish i'm italian

JTD — GMT

I dont think anyone is going to explain to you on how to use an exploit.