The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
ok, today i helped ptbyjason to take control again over his hacked board.
https://vborg.vbsupport.ru/showthrea...threadid=35339 while playing, i discovered a way to add myself as admin to any VB board, if i'm able to call the path from the server. FireFly, i want to email you the php file i made. email me so i can send you the file and you can look at it. the solution is to change the permissions for the admin folder in a way that if any file is called from outside of the server, to display a show_nopermission error message. UPDATE: in /admin/config.php add this code, at the top: PHP Code:
|
#2
|
||||
|
||||
try this:
make a info.php file with the code listed below and place it in your root: PHP Code:
PHP Code:
PHP Code:
you know what? all this info i found it on google.com. |
#3
|
|||
|
|||
nakkid, email it to me and I'll look at it straight away. I don't think you can do this without FTP access though, and if mysql is setup correctly you shouldn't be able to access it via another server.
|
#4
|
||||
|
||||
I also think that this is not possible without uploading a file into that ftp account.....
|
#5
|
||||
|
||||
hmm how do you explain the problem ptbyjason had? the hacker didnt have access as admin to his board.. he did it from another server!! we need to change the permissions.. is a fact. read the post where i helped jason...
|
#6
|
||||
|
||||
ok, i emailed you the script PPN... do you know a way to don't let any file be called from outside of /admin dir? let me know. i'm not good with permissions.
|
#7
|
|||
|
|||
If he had access on the server, if it was a shared server? Then yes this happens, there is nothing that can be done about this if the permissions are not set correctly by the host then other users can read other users files.
|
#8
|
||||
|
||||
i know i read somewhere about this type of permission, not to let call a script from outside the domain. that's where i need to focus on.. this is where the problem resides..
|
#9
|
|||
|
|||
Simpliest way to do something like this is use
PHP Code:
|
#10
|
||||
|
||||
ok. can you make a quick hack? so we all can add it to the /admin folder? thanks.
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|