|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
An assignment: I hope i'm not breaking any rules |
|
Posted: Thu Mar 11, 2010 6:15 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
Hi, I'm a student and I was given an assignment to replicate an exploit. I chose to replicate this exploit http://www.milw0rm.com/exploits/5070
I have done the HTML part and get the error as stated in http://www.waraxe.us/advisory-64.html
but i'm not sure what to do with the remaining part. I think the code is PERL , can anyone please put me through. I'm I ment to do the remaining part?
Thanks in advance.
Cheers
(Please someone help me) |
|
|
|
|
Posted: Thu Mar 11, 2010 8:03 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Install Perl on your computer.
Register user on victim forum.
Open command prompt and type
perl mybb1211.pl host path user pass victim_uid
mybb1211.pl ---->name of your script
host ----> vistim URL without http://
user ---> your registered username
pass ---> password for your user
vistim_uid ---> you need to know id of admin account.
Press Enter and wait results. |
|
|
|
|
Posted: Thu Mar 11, 2010 8:06 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
pexli wrote: | Install Perl on your computer.
Register user on victim forum.
Open command prompt and type
perl mybb1211.pl host path user pass victim_uid
mybb1211.pl ---->name of your script
host ----> vistim URL without http://
user ---> your registered username
pass ---> password for your user
vistim_uid ---> you need to know id of admin account.
Press Enter and wait results. |
thanks, i'm trying it out now. |
|
|
|
|
|
|
|
|
Posted: Thu Mar 11, 2010 8:13 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
pexli wrote: | Install Perl on your computer.
Register user on victim forum.
Open command prompt and type
perl mybb1211.pl host path user pass victim_uid
mybb1211.pl ---->name of your script
host ----> vistim URL without http://
user ---> your registered username
pass ---> password for your user
vistim_uid ---> you need to know id of admin account.
Press Enter and wait results. |
1: Do I need to compile the script or just copy it into a text file and save with that extension?. I have just downloaded Strawberry Perl for windows
2: Is this what my command should look like
perl now.pl localhost/theforum/private.php linda lindayang 3 |
|
|
|
|
|
|
|
|
Posted: Thu Mar 11, 2010 9:58 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
assignment wrote: | pexli wrote: | Install Perl on your computer.
Register user on victim forum.
Open command prompt and type
perl mybb1211.pl host path user pass victim_uid
mybb1211.pl ---->name of your script
host ----> vistim URL without http://
user ---> your registered username
pass ---> password for your user
vistim_uid ---> you need to know id of admin account.
Press Enter and wait results. |
1: Do I need to compile the script or just copy it into a text file and save with that extension?. I have just downloaded Strawberry Perl for windows
2: Is this what my command should look like
perl now.pl localhost/theforum/private.php linda lindayang 3 |
I have now gotten to the path where it say "login unsuccessful"
>>Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid]<<
I know my "uid" from the html code i ran but which one refers to the "last_victim_uid"? |
|
|
|
|
|
|
|
|
Posted: Thu Mar 11, 2010 10:05 pm |
|
|
vince213333 |
Advanced user |
|
|
Joined: Aug 03, 2009 |
Posts: 737 |
Location: Belgium |
|
|
|
|
|
|
The user id mostly is visible when you visit a person's profile on a forum (have a look at the url).
And I think the optional parameter [last_...] is to enter a range of id's to get the data from, instead of just one |
|
|
|
|
Posted: Thu Mar 11, 2010 10:27 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
vince213333 wrote: | The user id mostly is visible when you visit a person's profile on a forum (have a look at the url).
And I think the optional parameter [last_...] is to enter a range of id's to get the data from, instead of just one |
VALUES ('3', '3', '4', '1', 'f00subject', '0', 'f00message', '1268346256', '0', 'no', '',linda,'', '0', '0')
from this i can see the "uid" is 3, so please which one of those numbers will fall into the category of [last_...]
*i must be a real pain asking all these questions but i appreciate the help, bear with me |
|
|
|
|
|
|
|
|
Posted: Thu Mar 11, 2010 10:31 pm |
|
|
vince213333 |
Advanced user |
|
|
Joined: Aug 03, 2009 |
Posts: 737 |
Location: Belgium |
|
|
|
|
|
|
That's not entirely what I meant
The line you have there is the data from one user. It's indeed likely that 3 is the userid.
Now you have [last_victim_id] which is an optional parameter because it's between square brackets (standard notation).
If you'd execute a command without that optional parameter, you'd get the data of the person with userid 3.
Now let's say you want the data of user 3 to 9, then you'd use the optional parameter too. So your command looks like "... 3 9"
At least that's how I think it works ^^ Haven't tried it myself. |
|
|
|
|
|
|
|
|
Posted: Thu Mar 11, 2010 10:48 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
vince213333 wrote: | That's not entirely what I meant
The line you have there is the data from one user. It's indeed likely that 3 is the userid.
Now you have [last_victim_id] which is an optional parameter because it's between square brackets (standard notation).
If you'd execute a command without that optional parameter, you'd get the data of the person with userid 3.
Now let's say you want the data of user 3 to 9, then you'd use the optional parameter too. So your command looks like "... 3 9"
At least that's how I think it works ^^ Haven't tried it myself. |
when i run the code without the optional parameter i get this in my command propmt
############################################################################
# MyBB <=1.2.11 SQL Injection Exploit by F #
############################################################################
# Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid] #
############################################################################
but when i add another valid uid i get
#################################################
# MyBB <=1.2.11 SQL Injection Exp
#################################################
[~] Host: http://localhost/theforum/private.php
[~] Path: linda
[~] User: lindayang
[~] Pass: 1
[~] From #3
[~] To #3
[-] Login unsuccessful
C:\strawberry\perl\bin> |
|
|
|
|
|
|
|
|
Posted: Fri Mar 12, 2010 11:23 am |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
assignment wrote: | vince213333 wrote: | That's not entirely what I meant
The line you have there is the data from one user. It's indeed likely that 3 is the userid.
Now you have [last_victim_id] which is an optional parameter because it's between square brackets (standard notation).
If you'd execute a command without that optional parameter, you'd get the data of the person with userid 3.
Now let's say you want the data of user 3 to 9, then you'd use the optional parameter too. So your command looks like "... 3 9"
At least that's how I think it works ^^ Haven't tried it myself. |
when i run the code without the optional parameter i get this in my command propmt
############################################################################
# MyBB <=1.2.11 SQL Injection Exploit by F #
############################################################################
# Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid] #
############################################################################
but when i add another valid uid i get
#################################################
# MyBB <=1.2.11 SQL Injection Exp
#################################################
[~] Host: http://localhost/theforum/private.php
[~] Path: linda
[~] User: lindayang
[~] Pass: 1
[~] From #3
[~] To #3
[-] Login unsuccessful
C:\strawberry\perl\bin> |
*bump |
|
|
|
|
|
|
|
|
Posted: Fri Mar 12, 2010 6:34 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Dude you need to read some books.Real books.PHP,MYSQL,what is path,cookie,perl scripts ...etc. |
|
|
|
|
Posted: Fri Mar 12, 2010 9:32 pm |
|
|
assignment |
Regular user |
|
|
Joined: Mar 11, 2010 |
Posts: 8 |
|
|
|
|
|
|
|
pexli wrote: | Dude you need to read some books.Real books.PHP,MYSQL,what is path,cookie,perl scripts ...etc. |
very true and seriously thinking about it |
|
|
|
|
Posted: Sat Mar 13, 2010 3:44 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
My suggestion is to try that exploit manually, without any third-party scripts.
First you must create test environment (WAMP or LAMP) and install vulnerable MyBB forum.
Then copy/paste my example exploit html code, modify it as needed, then use firefox and log in to the forum as valid user.
Now you have valid browser session and next "File->Open File" open your example html form and then push submit button.
If you still can't see SQL error message, then you need to open "private.php" in text editor and find vulnerable piece of code.
Use var_dump() or print_r() for debugging and try to see, if attack parameter goes through as expected. |
|
|
|
|
Posted: Sun Mar 14, 2010 8:36 pm |
|
|
x3roconf_ |
Advanced user |
|
|
Joined: May 01, 2008 |
Posts: 101 |
|
|
|
|
|
|
|
hi waraxe! nice to see you. |
|
|
|
|
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|