Lucene search

K

flatnuke3-cm.txt

🗓️ 23 Oct 2007 00:00:00Reported by KiNgOfThEwOrLdType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 14 Views

Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation . User log in, flatnuke set cookie value. Bypass filter using nullbyte and login as admin. PHP Execution PoC in download module

Show more
Code
`---------------------------------------------------------------  
____ __________ __ ____ __   
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_   
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\  
| | | \ | |/ \ \___| | /_____/ | || |   
|___|___| /\__| /______ /\___ >__| |___||__|   
\/\______| \/ \/   
---------------------------------------------------------------  
  
Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org   
  
---------------------------------------------------------------  
  
Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation  
  
---------------------------------------------------------------  
  
#By KiNgOfThEwOrLd  
  
---------------------------------------------------------------  
PoC:  
  
When an user log in, flatnuke set him a cookie value like this:   
myforum=nomeuser. If we try to change it, flatnuke will ask us to log in again.   
The code is:  
  
$req = $_SERVER["REQUEST_URI"];  
if (strstr($req, "myforum="))  
die(_NONPUOI);  
  
So, we can bypass this filter, using nullbyte and login as admin. For example,   
Replace:   
  
myforum=yourusername   
  
with:   
  
myforum%00=adminusername  
  
PHP Execution PoC:  
  
I saw that in download module, if we set to "1" the fneditmode, we can make   
directory. So, we can write a description for the directory, and this   
description will be saved in /Download/[Dir_Name]/description.it.php . Yes, we   
can insert php code in the description and it will be execute! Nice, dontcha? :  
P  
---------------------------------------------------------------  
  
Original here: http://www.inj3ct-it.org/exploit/flatnuke3-cm.txt  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
23 Oct 2007 00:00Current
7.4High risk
Vulners AI Score7.4
14
.json
Report